(Created page with "== Overview == This article acts as a quick reference to PCI DSS requirements and how they relate to Information Technology.<br> The below PCI DSS sections refer to PCI DSS ve...") |
|||
(6 intermediate revisions by the same user not shown) | |||
Line 5: | Line 5: | ||
== 8.1 User Accounts == | == 8.1 User Accounts == | ||
+ | For details on how to implement these requirements in a Microsoft Active Directory environment see: [[PCI DSS 8.1 Group Policy]]<br> | ||
+ | |||
8.1.1 - Assign all users a unique ID.<br> | 8.1.1 - Assign all users a unique ID.<br> | ||
8.1.2 - Control: addition, deletion, modification of unique ID.<br> | 8.1.2 - Control: addition, deletion, modification of unique ID.<br> | ||
Line 10: | Line 12: | ||
8.1.4 - Remove/disable inactive user accounts at least every 90 days.<br> | 8.1.4 - Remove/disable inactive user accounts at least every 90 days.<br> | ||
8.1.5 - Manage vendor ID's, monitor when in use, enabled only when neeeded.<br> | 8.1.5 - Manage vendor ID's, monitor when in use, enabled only when neeeded.<br> | ||
− | 8.1.6 - Lockout user accounts after no more than 6 failed attempts.<br> | + | 8.1.6 - Lockout user accounts after no more than 6 failed attempts. *<br> |
− | 8.1.7 - Lockout duration is a minimum of 30 min.<br> | + | 8.1.7 - Lockout duration is a minimum of 30 min. *<br> |
8.1.8 - Require user to re-authenticate after 15 minutes of inactivity.<br> | 8.1.8 - Require user to re-authenticate after 15 minutes of inactivity.<br> | ||
Line 23: | Line 25: | ||
== 8.3 Remove Access == | == 8.3 Remove Access == | ||
− | 8.3.0 - Require Two-Factor authentication for remote network access. Require at least 2 authentication mechanisms listed in section [[# | + | 8.3.0 - Require Two-Factor authentication for remote network access. Require at least 2 authentication mechanisms listed in section [[PCI DSS Quick Reference#8.2 Passwords/Authentication|8.2 Passwords/Authentication]]<br> |
== 8.4 Documentation == | == 8.4 Documentation == |
Latest revision as of 21:11, 27 August 2014
Contents
Overview
This article acts as a quick reference to PCI DSS requirements and how they relate to Information Technology.
The below PCI DSS sections refer to PCI DSS version 3.0 dated November 2013.
8.1 User Accounts
For details on how to implement these requirements in a Microsoft Active Directory environment see: PCI DSS 8.1 Group Policy
8.1.1 - Assign all users a unique ID.
8.1.2 - Control: addition, deletion, modification of unique ID.
8.1.3 - Immediately revoke access for any terminated users.
8.1.4 - Remove/disable inactive user accounts at least every 90 days.
8.1.5 - Manage vendor ID's, monitor when in use, enabled only when neeeded.
8.1.6 - Lockout user accounts after no more than 6 failed attempts. *
8.1.7 - Lockout duration is a minimum of 30 min. *
8.1.8 - Require user to re-authenticate after 15 minutes of inactivity.
8.2 Passwords/Authentication
8.2.0 - Require at least one of the following authentication mechanisms: Something you know (Password), Something you have (Token), Something you are (Biometrics).
8.2.1 - Encrypt all authentication in transmission and storage.
8.2.2 - Verify user identity before making modifications (such as password resets).
8.2.3 - Password must meed complexity requirements (minimums, Password Length: 7, Characters: Alphabetic AND Numeric).
8.2.4 - Passwords expire every 90 days.
8.2.5 - Password History, Do not allow a user to reuse one of their previous 4 passwords.
8.3 Remove Access
8.3.0 - Require Two-Factor authentication for remote network access. Require at least 2 authentication mechanisms listed in section 8.2 Passwords/Authentication
8.4 Documentation
8.4.0 - Communicate authentication procedures to all users.
8.5 Generic Accounts
8.6 Access Control
8.7 Databases
8.8 Documentation
Reference
https://www.pcisecuritystandards.org
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf