From the PCI DSS:
Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for his or her actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.
PCI DSS Requirement |
How Requirement is Addressed with EFT Server | |
8.1 Identify all users with a unique user name before allowing them to access system components or cardholder data. |
Each user account defined in EFT Server has a unique username. | |
8.2 In addition to assigning a unique ID, employ at least one of the following methods to authenticate users:
|
EFT Server supports standard passwords, one-time-passwords (OTPs), certificate, and public-key authentication mechanisms. | |
8.3 Implement two-factor authentication for remote access to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens, or VPN (based on SSL/TLS or IPSEC) with individual certificates. |
In EFT Server, two-factor authentication can be achieved with SSL-based logins for administrator sessions. | |
8.4 Encrypt all passwords during transmission and storage on all system components. |
All user authentication passwords are stored as a one-way, non-reversible hash. Authentication credentials for automated, outbound sessions are stored using strong encryption. | |
8.5 Ensure proper user authentication and password management for non-consumer users and administrators on all system components. |
See sub-requirements for specific implementation. | |
|
8.5.1 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects |
EFT Server allows privileged sub-administrators to add and remove users and set permissions using automated tools or via the Administrator interface. |
|
8.5.2 Verify user identity before performing password resets |
EFT Server requires user authentication prior to a user-initiated password reset. Sub-administrators can reset user passwords manually, after they verify the identity of the user. |
|
8.5.3 Requires users to reset their passwords to a unique value upon first use |
EFT Server PCI DSS HS can force users to change their passwords upon initial login. |
|
8.5.4 Immediately revoke access for any terminated users |
When a Server account is disabled, expired, or removed, the user can no longer access EFT Server. EFT Server can also forcibly disconnect problem users. |
|
8.5.5 Require that accounts be removed after 90 days of inactivity |
EFT Server PCI DSS HS can disable or remove inactive users after a specified period of time (set to 90 by default). |
|
8.5.6 Enable accounts used by vendors for remote maintenance only during the time period needed |
EFT Server can automatically expire an account on a specific date; however, it does not automatically enable accounts. If a user account needs to be enabled, for example, every Friday from noon to 1 p.m., EFT Server administrator must manually enable the account each time. |
|
8.5.7 Communicate password procedures and policies to all users who have access to cardholder data |
When you create a new user, you have the option of e-mailing the user's credentials to an e-mail address that you specify. You can edit the default text of that e-mail (Credentials.txt) to include your organization's password policies and procedures. |
|
8.5.8 Do not use generic (shared) accounts/passwords |
EFT Server disallows the "Anonymous" password type for HS-enabled sites anywhere that the password type is selectable. |
|
8.5.9 Change user passwords at least every 90 days |
EFT Server PCI DSS HS allows you to enforce automatic expiration of passwords for administrators and users. Users will be notified of pending expiration and are prompted to change their password once expired. |
|
8.5.10 Require a minimum password length of at least seven characters |
EFT Server allows you enforce the generating of complex passwords using multiple criteria, including minimum length. |
|
8.5.11 Use passwords containing both numeric and alphabetic characters |
EFT Server provides multiple password complexity settings including definition of alphanumeric sub-options, disallowing words contained in a dictionary file, using the username as a password, cyclical passwords, and more. |
|
8.5.12 Cyclical passwords not allowed (up to 4 previous passwords) |
EFT Server PCI DSS HS remembers password history and prevents the reuse of passwords for administrators and users. |
|
8.5.13 Limit repeated access attempts |
EFT Server allows you to limit repeated access attempts by locking out a user or an administrator after <n> attempts within <n> minutes. |
|
8.5.14 Set the lockout duration to thirty minutes or until administrator enables the user ID |
EFT Server allows you to specify a lockout duration of 30, 60, or 90 minutes at EFT Server, Site, Settings Template, or per user. |
|
8.5.15 Idle sessions should timeout and require login credentials to continue |
EFT Server has an idle timeout setting that applies across all connection protocols supported, for both users and administrators. |
|
8.5.16 Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users |
EFT Server provides multiple authentication options for accessing server resources, including AD/NTLM, LDAP, ODBC based, and EFT Server’s proprietary authentication manager. |