My Merchant Account Blog

My Merchant Account Blog

You can now contact us at 888-928-5280 ext 822

New Posts will be coming soon - we are in the process of updating the blog

Implement Strong Access Control Measures

Saturday, December 06, 2008
The fourth core of PCI DSS is Implement Strong Access Control Measures and is comprised of three requirements:
  • Restrict access to cardholder data by business need-to-know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data
This can be accomplished easily by ensuring each employee has his / her own unique ID to sign into the systems.  Ensure that the employee has access to only what he / she needs.  For example, an employee who is assigned to enter / update product information and inventory does not have the need to see the customer / cardholder data.

Restrict Access to Cardholder Data by Business Need-To-Know

As with the example above, the employees' duties need to be fully documented. These duties will help to explain what data the employees needs to have access.  Limiting access to those with a strong business reason for the access will help your organization prevent mishandling of cardholder data through inexperience or malicious intentions.

Assign a Unique ID to Each Person with Computer Access

Each employee should have his / her own unique ID to access your system.  By ensuring each employee has his / her own unique ID, an organization can maintain individual responsibility for actions and have an audit trail per employee.  Do not create generic IDs, i.e. billing, stocking, etc.  Create unique IDs based on the individual, not the job.

The employees should not share their passwords with anyone.  Other methods to authenticate users can be biometrics or token devices.  Two factor authentication should be used for remote access for additional security.  Passwords should always be encrypted during transmission and storage.  Do not allow employees to email their passwords.  Also, verify the identity of the individual before changing a password.  Some hackers might call the help desk claiming they cannot access their account.  Passwords should also be unique for each new individual.  If you use the same password, it might easily be discovered used to gain access.

Terminated employees should be removed from the system immediately.  Policies should be in place by human resources to let the proper department know of the termination.  Accounts should also be monitored for inactivity.  If activity has not occurred within 90 days, the account should be deleted.

As discussed on Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters, passwords should consist of both numeric and alphabetic characters.  Passwords should be at least seven characters and changed every 90 days.  Individuals should not be allowed to use any of the last four passwords.

Restrict Physical Access to Cardholder Data

Facility entry controls should be used and enforced by the organization where cardholder data is stored, processed, or transmitted.  Logs of entry should be maintained for at least three months unless otherwise restricted by law.  Cameras should also be used to monitor sensitive areas.

Visitors

Procedures should be in place to help distinguish between employees and visitors.  A visitor log should be used to maintain a physical audit trail and kept for at least three months (unless prohibited by law). 

Visitors should:
  1. Be authorized before entering any area where cardholder data is processed or maintained
  2. Be given a badge or access key the specific areas he / she needs to be in and the badge should expire
  3. Ensure the visitor returns the badge before leaving

Management and Storage of Paper and Electronic Media

This also includes backups which may contain cardholder data.  You can contract with a commercial data-storage facility or for a smaller entity, consider a safe-deposit box.  Computers, electronic media, networking and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes are some examples that will need to be secured.

The media should be marked confidential and send the media only with a secure courier.  Do not use a system where a tracking system is not in place.  Cardholder data that leaves the facility should be signed for by an authorized person.  Strict control over the storage and accessibility of the media should be maintained at all times.

If the cardholder data is no longer needed for business purposes, it should be destroyed.  Paper can be cross-cut, burned, or turned into pulp.  Electronic media should be purged, degaussed, or shredded so data can no longer be accessed.

DeliciousDigg This PostNewsvineRedditTechnorati

Comments

Tom Harrison said...

First-rate Post.

Thank you for the post.


9/17/2009

Marcus said...

Great story you got here. I'd like to read more about this topic.

10/28/2009

Name
URL
Email
Email address is not published
Remember Me
Comments

Search My Merchant Account Blog


My Merchant Account Blog Categories
My Merchant Account Blog Archives
My Merchant Account Blog Recent Entries


RSS Feed for My Merchant Account Blog

About My Merchant Account Blog



My Merchant Account Blog SiteMap

Submit my blog Startups

Retail Merchant Accounts

Get a Retail Merchant Account with a 1.65% discount rate.  No leases - free terminal.  No monthly minimum and no termination fee!

Twitter - My Merchant BlogFacebook - My Merchant Account BlogLinked In - Merchant Accounts

Merchant Account
Resources Directory

Check out the new
Merchant Account Resources Directory
Feel Free to submit you link!

My Merchant Account Blog SiteMap
Publishers

If you would like to publish a unique article on My Merchant Account Blog, please contact us.

Documents

© 2005 - 2025 - Merchant Account Forums - Contact Us for Permission to Display Our Complete Posts on Your Website

Feeds Available · Merchant Accounts Reviewed · Sitemap · Merchant Account Information