We are going to highlight the crucial Requirement 8: Identify and Authenticate Access to System Components. Many organizations are paying more attention to their security measures after the rash of retail breaches experienced at the end of 2013 and early of 2014. Requirement 8 was overlooked by some companies who experienced these large security breaches. Had this requirement been implemented and monitored it may have prevented these breaches from happening to begin with.
Visa and MasterCard have both released Security Bulletins within the last month regarding remote access. For those not familiar, remote access is accessing a computer or network server from a location other than where that system is located. For example, you access your work computer using your home computer.
Requirement 8 of the PCI Data Security Standards states that a merchant receiving funds for transactions from the Card Brands must, “Assign a Unique ID to Each Person with Computer Access” (i.e., unique username and password). This means a unique identification must be assigned to each person accessing your network and/or systems; whether to a particular computer, application, or to remote access these systems.
Don’t Be the Target
You may recall the Target breach of late 2013. The initial breach of their network was traced back to network credentials that were stolen from a third-party vendor of Target. Using these credentials the hackers were able to access the network. From there they discovered Target’s payment systems network was also accessible. With access to their payment systems the hackers were able to install their card-stealing malicious software into specific cash registers.
It’s easy to see, the failure to require a unique set of login credentials (Unique ID) to each network was costly, but that was not the only misstep.
Remote Access Standards
“Requirement 8” also states there should be rules around when remote access is accessible. This means remote access should not be enabled at all times. Specific guidance for this states that a two-factor authentication should be in place to confirm the person logging in should have access. It goes on to state that remote access should only be enabled as needed and should be monitored at all times while someone is remotely logged in.
Meet the Requirement
With the understanding of the importance of implementing strong access control measures, review your systems policies and ensure your users have unique IDs. You want to ensure access to the computers, applications, and networks within your organization are protected.
If you currently offer Remote Access, or this is something you are considering, Requirement 8 will allow your organization to determine what security measures to put in place to best protect your network and its data.
Next month, we’ll look at Requirement 9 which is focused on securing physical access to cardholder data. This wraps-up the focus of “Implementing Strong Access Control Measures” fourth area of focus of PCI Data Security Standards.
If you have any questions about PCI that you would like to see covered, let us know! You can email us at firstname.lastname@example.org to share your thoughts or questions which we may then address here on our blog!