Requirement 8: Assign a Unique ID to Each Person with Computer Access

From the PCI DSS:

Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.

PCI DSS Requirement

How Requirement is Addressed with EFT Server

8.1 Identify all users with a unique user name before allowing them to access system components or cardholder data.

Each user account defined in EFT Server has a unique username.

8.2 In addition to assigning a unique ID, employ at least one of the following methods to authenticate users:

  • Password

  • Token devices (e.g., SecureID, certificates, public key)

  • Biometrics

EFT Server supports standard passwords, one-time-passwords (OTPs), certificate, and public-key authentication mechanisms.

8.3 Implement two-factor authentication for remote access to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens, or VPN (based on SSL/TLS or IPSEC) with individual certificates.

In EFT Server, two-factor authentication can be achieved with SSL-based logins for administrator sessions.

8.4 Encrypt all passwords during transmission and storage on all system components.

All user authentication passwords are stored as a one-way, non-reversible hash. Authentication credentials for automated, outbound sessions are stored using strong encryption.

8.5 Ensure proper user authentication and password management for non-consumer users and administrators on all system components.

See sub-requirements for specific implementation.

 

8.5.1 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects

EFT Server allows privileged sub-administrators to add and remove users and set permissions using automated tools or via the EFT Administrator interface.

 

8.5.2 Verify user identity before performing password resets

EFT Server requires user authentication prior to a user-initiated password reset. Sub-administrators can reset user passwords manually, after they verify the identity of the user.

 

8.5.3 Requires users to reset their passwords to a unique value upon first use

EFT Server PCI DSS HS can force users to change their passwords upon initial login.

 

8.5.4 Immediately revoke access for any terminated users

When an EFT Server account is disabled, expired, or removed, the user can no longer access EFT Server. EFT Server can also forcibly disconnect problem users.

 

8.5.5 Require that accounts be removed after 90 days of inactivity

EFT Server PCI DSS HS can disable or remove inactive users after a specified period of time (set to 90 by default).

 

8.5.6 Enable accounts used by vendors for remote maintenance only during the time period needed

EFT Server can automatically expire an account on a specific date; however, it does not automatically enable accounts. If a user account needs to be enabled, for example, every Friday from noon to 1 p.m., the EFT Server administrator must manually enable the account each time.

 

8.5.7 Communicate password procedures and policies to all users who have access to cardholder data

When you create a new user, you have the option of e-mailing the user's credentials to an e-mail address that you specify. You can edit the default text of that e-mail (Credentials.txt) to include your organization's password policies and procedures.

 

8.5.8 Do not use generic (shared) accounts/passwords

EFT Server disallows the "Anonymous" password type for HS-PCI-enabled sites anywhere that the password type is selectable.

 

8.5.9 Change user passwords at least every 90 days

EFT Server PCI DSS HS allows you to enforce automatic expiration of passwords for administrators and users. Users will be notified of pending expiration and are prompted to change their password once expired.

 

8.5.10 Require a minimum password length of at least seven characters

EFT Server allows you enforce the generating of complex passwords using multiple criteria, including minimum length.

 

8.5.11 Use passwords containing both numeric and alphabetic characters

EFT Server provides multiple password complexity settings including definition of alphanumeric sub-options, disallowing words contained in a dictionary file, using the username as a password, cyclical passwords, and more.

 

8.5.12 Cyclical passwords not allowed (up to 4 previous passwords)

EFT Server PCI DSS HS remembers password history and prevents the reuse of passwords for administrators and users.

 

8.5.13 Limit repeated access attempts

EFT Server allows you to limit repeated access attempts by locking out a user or an administrator after <n> attempts within <n> minutes.

 

8.5.14 Set the lockout duration to thirty minutes or until administrator enables the user ID

EFT Server allows you to specify a lockout duration of 30, 60, or 90 minutes at the Server, Site, User Setting Level, or per user.

 

8.5.15 Idle sessions should timeout and require login credentials to continue

EFT Server has an idle timeout setting that applies across all connection protocols supported, for both users and administrators.

 

8.5.16 Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users

EFT Server provides multiple authentication options for accessing server resources, including AD/NTLM, LDAP, ODBC based, and EFT Server’s proprietary authentication manager.