In this tip, we explore the fourth focus area of PCI DSS in depth: implementing strong access control procedures. This portion of the standard includes requirements relating to restricting access to cardholder data, assigning unique identifiers to system users and restricting physical access to cardholder data.
RESTRICTING ACCESS TO CARDHOLDER DATA BY NEED-TO-KNOW
Requirement 7 of PCI DSS mandates that you restrict access to cardholder data by business need-to-know. Essentially, you must ensure that you take adequate steps to prevent individuals without appropriate authorization from accessing cardholder data in your systems. Here are some specific requirements in this area:
- Assign access to individuals based upon their job function and limit their access to the minimum required to complete their jobs.
- Use an authorization form for each privilege assignment that specifies the privileges required and includes management sign-off.
- Use an automated access control system that follows access restrictions and denies any activity that is not explicitly allowed.
These are all common sense principles of access control and you probably won't find anything surprising in this section. In my experience, the most common gap organizations have is the PCI DSS requirement for a paper trail of authorizations. Be sure you're keeping tabs on the forms signed by management approving access and have them accessible in the event
ASSIGNING UNIQUE IDs
The eighth PCI DSS requirement governs the use of unique identifiers for access to systems in the cardholder environment. The goal of this requirement is to ensure that strong authentication identifies each individual so that they may be held accountable for their actions. Specific requirements in this section include:
- Using unique identifiers for all users. There should be no group or shared logins to any system in the cardholder environment.
- The use of strong passwords (at least seven alphanumeric characters that change every 90 days) or two-factor authentication for all access, with the requirement of two-factor authentication for all remote access.
- Maintaining a password history that blocks individuals from reusing any of their last four passwords.
- Locking out users for at least 30 minutes after six incorrect login attempts and logging out sessions after 15 minutes of idle time.
- Encryption of passwords during transmission and storage.
- Implementation of formal procedures for addition, modification and deletion of accounts, password resets and first-time passwords. You must also formally communicate these procedures to all users.
- Revoking access immediately for terminated users and those that have been inactive for 90 days.
This is another area where you likely already have some security policies, even if they're not formal policy declarations. Your best bet is to pull up a copy of your access requirements and PCI DSS requirement 8, comparing them side-by-side to identify any gaps.
RESTRICTING PHYSICAL ACCESS
The final requirement of this section mandates that you restrict physical access to cardholder data. I've seen this requirement cause quite a bit of angst in organizations that do not already have strong physical access procedures. The specific requirements of this section include:
- Using physical security controls to restrict and monitor access to systems.
- Using video cameras to record physical access to data centers, server rooms or any other area that houses cardholder data systems (excluding point-of-sale terminals) and retaining the videotapes for at least three months.
- Restricting physical access to network jacks and devices.
- Using a badging system to identify employees and visitors and implementing visitor control procedures that include authorization, badging and logging.
- Applying physical security controls to storage areas for backup media and paper records.
- Implementing strong procedures for the management, tracking and destruction of all media containing cardholder data.
- Destroying cardholder data by shredding, incinerating or pulping hardcopy records and securely wiping or physically destroying electronic media.
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a contributor to SearchMidmarketSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the "CISSP Prep Guide" and "Information Security Illuminated."
This was first published in October 2009