Requirement 8: Assign a unique ID to each person with computer access
This requirement ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. The following table lists the specific sub-requirements in Requirement 8 that are addressed by TIBCO LogLogic® Compliance Suite - PCI Edition.
| Requirement 8 | Assign a unique ID to each person with computer aces |
|---|---|
| 8.1 | Identify all users with a unique username before allowing them to access system components or cardholder data |
| 8.1.5 | Manage IDs used by vendors to access, support, or maintain system components via remote access as follows (Type - Clarification):
Enabled only during the time period needed and disabled when not in use Monitored when in use Update: v3.0 November 2013 |
| 8.5.1 | Control addition, deletion, and modification of user IDs, credentials, and other identifier objects. Update: v3.0 November 2013 |
| 8.5.4 | Immediately revoke access for any terminated users |
| 8.5.6 | Enable accounts used by vendors for remote maintenance only during the time period needed |
| 8.5.8 | Do not use group, shared, or generic accounts and passwords |
| 8.5.9 | Change user passwords at least every 90 days |
| 8.5.13 | Limit repeated access attempts by locking out the user ID after not more than six attempts |
| 8.5.16 | Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users |
| 8.6 | Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.), use of these mechanisms must be assigned as follows (Type - Evolving Requirement):
Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts. Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access. |
| 8.8 | Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. Update: v3.0 November 2013. |
Copyright © Cloud Software Group, Inc. All rights reserved.