The goal
|
The goal of PCI DSS Key Requirement 8 is to protect payment card account data by maintaining a sustainable capability for the reliable application of strong authentication controls for all in-scope users and systems, and to ensure that only authorized users can access any system component in the CDE; are uniquely identifiable, accountable and traceable; and are given entitlements based on “least privilege” and “need to know.”
This goal includes complete integration with all related PCI DSS Key Requirements for the establishment of an effective, integrated series of control systems, and the development and ongoing improvement of all related capabilities, processes, documentation, tools and training needed to achieve < Quantitatively managed/Optimized > maturity of this key requirement by < insert date >.
|
Goal applicability and scope considerations
|
- People: All in-scope users with access to sensitive data, systems and locations, which applies to all personnel, including general users, administrators, vendors and other third parties that access the entity’s network from an external or remote network
- IT components: The application of automated authentication technology across the CDE, including technologies such as remote authentication and dial-in service (RADIUS) with tokens, terminal access controller access control system (TACACS) with tokens, and other technologies that facilitate multifactor authentication
|
Goal requirements:
Some of the primary conditions necessary to achieve the goal
|
- Capability—procedures: Maintain an organizational capability for strong governance on the entire life cycle of users that includes management approval, provisioning, and periodic certification and decommissioning; maintain documented authentication procedures with supporting awareness and training. All users have their own authorized credentials that are not shared, with passwords meeting industry standards, and inactive and terminated accounts suspended and removed, if possible
- Capability—automation: Create the capability to establish and reliably maintain strong authentication for users and administrators. The capability to correctly design, implement and maintain multifactor technologies for strong MFA and secure remote network access for all connections originating from outside the entity’s network that could access or impact the CDE, preventing in-scope system components from being accessed by the use of a single authentication factor
- Capability—monitoring: The active, effective and sustainable monitoring of the use and configuration of authentication systems, with timely detection and response to misconfigurations and system event alerts
|
Strong dependencies and integration with other key requirements
|
- Requirement 7: Strong dependency and integration with access control requirements
- Requirement 10: Integration with logging and monitoring to detect and respond to authentication incidents
- Requirement 2: Secure configuration of all authentication system components
- Requirement 9: Integration with physical security control
- Requirement 1: Integration with network security controls to protect access to authentication systems
|
Short-term objectives
|
- Scope: Maintain a capability to effectively identify and document all in-scope components through user-to-component mapping, and formally assign roles and responsibilities to all users and systems
- Automate: Implement and maintain effective systems to automate user ID and authentication systems, management reporting, and monitoring across the entire CDE
- Secure remote access: Implement and maintain MFA to secure access to the CDE, and configure MFA systems to prevent misuse
|
Long-term objectives
|
- Maturity—technical: Improve configurations, documentation and integration with dependent key requirements
- Maturity—process: Improve the effectiveness with which the authentication process is integrated, maintained and managed to achieve high performance, continuous improvement and maturity
|
Common constraints
|
- Competency: The design, implementation and maintenance of authentication systems can be complicated in large, complex environments, requiring specialized competencies
- Cost: The cost of authentication solutions can be prohibitive
- Capability: The ability to effectively support and sustain authentication system projects with processes and capabilities, which may require many months (or several years) of improvements to achieve maturity
|
