Understanding PCI Requirement 8: No More Shared Passwords in PCI Compliance

New to PCI? Start here https://www.securitymetrics.com/learn... Transcript: Welcome to PCI 101 by SecurityMetrics. Let’s dive into Requirement 8: Identify Users and Authenticate Access to System Components When protecting your system and your data, it’s essential to know who has access and how they’re getting access. To be compliant with this requirement, you’ll need to identify users and authenticate their access into your system. This means making sure every employee has their own unique ID credentials and individual account on their laptop. When employees use somebody else’s username and password, accountability gets messy and can get lost. From a logging and forensics perspective, it gets hard to determine who’s done what when there are multiple people using the same account. Employees need their own username and password. When employees set up their passwords, they should not use generic accounts or passwords, shared group passwords, or passwords used for different services. Instead, set different, strong, long passwords for every service that you use, changing these passwords at least every 90 days. Your passwords should also be at least 12 characters long. An easy way to remember complex passwords is by using passphrases. Passphrases are groups of words, which might include spaces and punctuation, (if your system allows), as well as numbers and special characters. Here’s an example passphrase: (on-screen text): “We Never Drove to Vancouver in 84 BUT in 88?” Long? Yes, but secure? Very. You also need to establish automatic account lock-outs, where after a set number of failed login attempts, the system administrator has to unlock that account. For example, an account could be locked after six consecutive failed login attempts within a 30-minute period. If attackers only have six chances to guess your password, they’ll likely fail. For cardholder data environment access, multi-factor authentication needs to be used. Multi-factor authentication means you’re including at least two of the following factors: • Something only you know, such as a username and password or PIN number • Something only you have, such as a hardware token or smartcard • Something only you are, such as a fingerprint, ocular scan, or voiceprint This is a pretty common standard for most apps and software these days. For example, an employee trying to access your cardholder data environment needs to enter their username and password, and then must enter a one-time password sent to their smartphone. A few extra security measures make a big difference in your organization’s safety. Thanks for watching PCI 101 by SecurityMetrics. If you have any questions about this requirement, visit our website at SecurityMetrics.com, or give our PCI experts a call at (801) 995-6855. #pci #datasecurity #pcicompliance #pcirequirements #smallbusiness