-
This requirement mandates that access to system components is identified and authenticated, and that each user is assigned a unique identification.
Requirement 8: Identify users and authenticate access to system components
- 2022 PSR
- Introduction
- Executive Summary
- The Compliance Landscape
- Commentary
- The State of Compliance
- Requirement 1 Install and Maintain Network Security Controls
- Requirement 2 Apply Secure Configurations to all System Components
- Requirement 3 Protect Stored Account Data
- Requirement 4 Protect Cardholder Data with Strong Cryptography
- Requirement 5 Protect All Systems and Networks from Malicious Software
- Requirement 6 Develop and Maintain Secure Systems and Software
- Requirement 7 Restrict Access to System Components
- Requirement 8 Identify Users and Authenticate Access
- Requirement 9 Restrict Physical Access to Cardholder Data
- Requirement 10 Log and Monitor System Components and Cardholder Data
- Requirement 11 Test Security of Systems and Networks Regularly
- Requirement 12 Support Information Security with Organizational Policies and Programs
- Bottom-20 Lists
- Methodology
- Appendices
- Download the full report (PDF)
Please provide the information below to view the online Verizon Payment Security Report.
Thank you.
You will soon receive an email with a link to confirm your access, or follow the link below.
Thank you.
You may now close this message and continue to your article.
-
Figure 20. Global state of PCI DSS compliance: Requirement 8
-
Full compliance: 83.2% of organizations achieved and maintained full compliance with Requirement 8, a very healthy performance increase of 9.2 pp from the year before, and nearly equaling the record of 83.5% set in 2016.
Control gap: The control gap narrowed substantially, from 8.1% to a low 2.9%. Control 8.3.1 (Verify that multifactor authentication is required) improved by 11.2 pp.
Compensating controls: Requirement 8 was the most compensated requirement since 2015, falling to second place after Requirement 6 took the top spot for the first time this year.
-
Figure 21. Requirement 8 control performance
-
-
A tip on sustainable control effectiveness
Organizations often fail to remove terminated user accounts in a timely manner, leaving themselves potentially exposed to account misuse by disgruntled personnel. Terminated user accounts must be disabled immediately, and these processes should be included with Human Resources exit procedures. Strict service level agreements (SLAs) for removal of access should be established so that access is disabled just prior to employee termination, when possible.
-
Requirement 8: Identify users and authenticate access to system components
The goal
The goal of PCI DSS Key Requirement 8 is to protect payment card account data by maintaining a sustainable capability for the reliable application of strong authentication controls for all in-scope users and systems, and to ensure that only authorized users can access any system component in the CDE; are uniquely identifiable, accountable and traceable; and are given entitlements based on “least privilege” and “need to know.”
This goal includes complete integration with all related PCI DSS Key Requirements for the establishment of an effective, integrated series of control systems, and the development and ongoing improvement of all related capabilities, processes, documentation, tools and training needed to achieve < Quantitatively managed/Optimized > maturity of this key requirement by < insert date >.Goal applicability and scope considerations
- People: All in-scope users with access to sensitive data, systems and locations, which applies to all personnel, including general users, administrators, vendors and other third parties that access the entity’s network from an external or remote network
- IT components: The application of automated authentication technology across the CDE, including technologies such as remote authentication and dial-in service (RADIUS) with tokens, terminal access controller access control system (TACACS) with tokens, and other technologies that facilitate multifactor authentication
Goal requirements:
Some of the primary conditions necessary to achieve the goal
- Capability—procedures: Maintain an organizational capability for strong governance on the entire life cycle of users that includes management approval, provisioning, and periodic certification and decommissioning; maintain documented authentication procedures with supporting awareness and training. All users have their own authorized credentials that are not shared, with passwords meeting industry standards, and inactive and terminated accounts suspended and removed, if possible
- Capability—automation: Create the capability to establish and reliably maintain strong authentication for users and administrators. The capability to correctly design, implement and maintain multifactor technologies for strong MFA and secure remote network access for all connections originating from outside the entity’s network that could access or impact the CDE, preventing in-scope system components from being accessed by the use of a single authentication factor
- Capability—monitoring: The active, effective and sustainable monitoring of the use and configuration of authentication systems, with timely detection and response to misconfigurations and system event alerts
Strong dependencies and integration with other key requirements
- Requirement 7: Strong dependency and integration with access control requirements
- Requirement 10: Integration with logging and monitoring to detect and respond to authentication incidents
- Requirement 2: Secure configuration of all authentication system components
- Requirement 9: Integration with physical security control
- Requirement 1: Integration with network security controls to protect access to authentication systems
Short-term objectives
- Scope: Maintain a capability to effectively identify and document all in-scope components through user-to-component mapping, and formally assign roles and responsibilities to all users and systems
- Automate: Implement and maintain effective systems to automate user ID and authentication systems, management reporting, and monitoring across the entire CDE
- Secure remote access: Implement and maintain MFA to secure access to the CDE, and configure MFA systems to prevent misuse
Long-term objectives
- Maturity—technical: Improve configurations, documentation and integration with dependent key requirements
- Maturity—process: Improve the effectiveness with which the authentication process is integrated, maintained and managed to achieve high performance, continuous improvement and maturity
Common constraints
- Competency: The design, implementation and maintenance of authentication systems can be complicated in large, complex environments, requiring specialized competencies
- Cost: The cost of authentication solutions can be prohibitive
- Capability: The ability to effectively support and sustain authentication system projects with processes and capabilities, which may require many months (or several years) of improvements to achieve maturity