PCI DSS requirement: Implement strong access control procedures

In this tip, we explore the fourth focus area of PCI DSS in depth: implementing strong access control procedures. This portion of the standard includes requirements relating to restricting access to cardholder data, assigning unique identifiers to system users and restricting physical access to cardholder data.

Breaking down PCI for the midmarket How to achieve PCI DSS compliance in a midmarket: Learn about PCI DSS compliance for a midmarket business, including the standard's six areas of focus and how to document your organization's compliance. PCI DSS requirement: Building and maintaining a secure network: The first PCI focus area requires a set of documented configuration standards, perimeter and endpoint protection. PCI DSS requirement: Protect cardholder data: The second PCI DSS focus area spells out how organizations must secure cardholder data they store and transmit. PCI DSS requirement: Maintaining a vulnerability management program: The third PCI DSS focus area requires antivirus software, secure coding practices, patch management and change control processes be in place.

RESTRICTING ACCESS TO CARDHOLDER DATA BY NEED-TO-KNOW
Requirement 7 of PCI DSS mandates that you restrict access to cardholder data by business need-to-know. Essentially, you must ensure that you take adequate steps to prevent individuals without appropriate authorization from accessing cardholder data in your systems. Here are some specific requirements in this area:

• Assign access to individuals based upon their job function and limit their access to the minimum required to complete their jobs.
• Use an authorization form for each privilege assignment that specifies the privileges required and includes management sign-off.
• Use an automated access control system that follows access restrictions and denies any activity that is not explicitly allowed.

These are all common sense principles of access control and you probably won't find anything surprising in this section. In my experience, the most common gap organizations have is the PCI DSS requirement for a paper trail of authorizations. Be sure you're keeping tabs on the forms signed by management approving access and have them accessible in the event of an audit.

ASSIGNING UNIQUE IDs
The eighth PCI DSS requirement governs the use of unique identifiers for access to systems in the cardholder environment. The goal of this requirement is to ensure that strong authentication identifies each individual so that they may be held accountable for their actions. Specific requirements in this section include:

• Using unique identifiers for all users. There should be no group or shared logins to any system in the cardholder environment.
• The use of strong passwords (at least seven alphanumeric characters that change every 90 days) or two-factor authentication for all access, with the requirement of two-factor authentication for all remote access.
• Maintaining a password history that blocks individuals from reusing any of their last four passwords.
• Locking out users for at least 30 minutes after six incorrect login attempts and logging out sessions after 15 minutes of idle time.
• Encryption of passwords during transmission and storage.
• Implementation of formal procedures for addition, modification and deletion of accounts, password resets and first-time passwords. You must also formally communicate these procedures to all users.
• Revoking access immediately for terminated users and those that have been inactive for 90 days.

This is another area where you likely already have some security policies, even if they're not formal policy declarations. Your best bet is to pull up a copy of your access requirements and PCI DSS requirement 8, comparing them side-by-side to identify any gaps.

RESTRICTING PHYSICAL ACCESS
The final requirement of this section mandates that you restrict physical access to cardholder data. I've seen this requirement cause quite a bit of angst in organizations that do not already have strong physical access procedures. The specific requirements of this section include:

• Using physical security controls to restrict and monitor access to systems.
• Using video cameras to record physical access to data centers, server rooms or any other area that houses cardholder data systems (excluding point-of-sale terminals) and retaining the videotapes for at least three months.
• Restricting physical access to network jacks and devices.
• Using a badging system to identify employees and visitors and implementing visitor control procedures that include authorization, badging and logging.
• Applying physical security controls to storage areas for backup media and paper records.
• Implementing strong procedures for the management, tracking and destruction of all media containing cardholder data.
• Destroying cardholder data by shredding, incinerating or pulping hardcopy records and securely wiping or physically destroying electronic media.

Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a contributor to SearchMidmarketSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the "CISSP Prep Guide" and "Information Security Illuminated."

Send comments on this technical tip editor@searchmidmarketsecurity.com.

Join our IT Knowledge Exchange discussion forum; please use the midmarket security tag.