Contents
Overview
This article acts as a quick reference to PCI DSS requirements and how they relate to Information Technology.
The below PCI DSS sections refer to PCI DSS version 3.0 dated November 2013.
8.1 User Accounts
For details on how to implement these requirements in a Microsoft Active Directory environment see: PCI DSS 8.1 Group Policy
8.1.1 - Assign all users a unique ID.
8.1.2 - Control: addition, deletion, modification of unique ID.
8.1.3 - Immediately revoke access for any terminated users.
8.1.4 - Remove/disable inactive user accounts at least every 90 days.
8.1.5 - Manage vendor ID's, monitor when in use, enabled only when neeeded.
8.1.6 - Lockout user accounts after no more than 6 failed attempts. *
8.1.7 - Lockout duration is a minimum of 30 min. *
8.1.8 - Require user to re-authenticate after 15 minutes of inactivity.
8.2 Passwords/Authentication
8.2.0 - Require at least one of the following authentication mechanisms: Something you know (Password), Something you have (Token), Something you are (Biometrics).
8.2.1 - Encrypt all authentication in transmission and storage.
8.2.2 - Verify user identity before making modifications (such as password resets).
8.2.3 - Password must meed complexity requirements (minimums, Password Length: 7, Characters: Alphabetic AND Numeric).
8.2.4 - Passwords expire every 90 days.
8.2.5 - Password History, Do not allow a user to reuse one of their previous 4 passwords.
8.3 Remove Access
8.3.0 - Require Two-Factor authentication for remote network access. Require at least 2 authentication mechanisms listed in section PCI DSS 8.2 Group Policy
8.4 Documentation
8.4.0 - Communicate authentication procedures to all users.
8.5 Generic Accounts
8.6 Access Control
8.7 Databases
8.8 Documentation
Reference
https://www.pcisecuritystandards.org
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf