Implement Strong Access Control Measures
The fourth core of
PCI DSS is
Implement Strong Access Control Measures
and is comprised of three requirements:
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
This can
be accomplished easily by ensuring each employee has his / her own unique ID
to sign into the systems. Ensure that the employee has access to only
what he / she needs. For example, an employee who is assigned to enter
/ update product information and inventory does not have the need to see the
customer / cardholder data.
Restrict Access to Cardholder Data by Business Need-To-Know
As with the example above, the employees' duties need to be fully documented. These duties
will help to explain what data the employees needs to have access.
Limiting access to those with a strong business reason for the access will help
your organization prevent mishandling of cardholder data through inexperience or
malicious intentions.
Assign a Unique ID to Each Person with Computer Access
Each
employee should have his / her own unique ID to access your system. By
ensuring each employee has his / her own unique ID, an organization can maintain
individual responsibility for actions and have an audit trail per employee.
Do not create generic IDs, i.e. billing, stocking, etc. Create unique IDs
based on the individual, not the job.
The employees should not share their passwords with anyone. Other methods
to authenticate users can be biometrics or token devices. Two factor
authentication should be used for remote access for additional security.
Passwords should always be encrypted during transmission and storage. Do
not allow employees to email their passwords. Also, verify the identity of
the individual before changing a password. Some hackers might call the
help desk claiming they cannot access their account. Passwords should also
be unique for each new individual. If you use the same password, it might
easily be discovered used to gain access.
Terminated employees should be removed from the system immediately.
Policies should be in place by human resources to let the proper department know
of the termination. Accounts should also be monitored for inactivity.
If activity has not occurred within 90 days, the account should be deleted.
As discussed on
Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters,
passwords should consist of both numeric and alphabetic characters.
Passwords should be at least seven characters and changed every 90 days.
Individuals should not be allowed to use any of the last four passwords.
Restrict Physical Access to Cardholder Data
Facility entry controls
should be used and enforced by the organization where cardholder data is stored,
processed, or transmitted. Logs of entry should be maintained for at least
three months unless otherwise restricted by law. Cameras should also be
used to monitor sensitive areas.
Visitors
Procedures should be in place to help distinguish between employees and
visitors. A visitor log should be used to maintain a physical audit trail
and kept for at least three months (unless prohibited by law).
Visitors should:
- Be authorized before entering any area where cardholder data is processed or maintained
- Be given a badge or access key the specific areas he / she needs to be in and the badge should expire
- Ensure the visitor returns the badge before leaving
Management and Storage of Paper and Electronic Media
This also includes backups which may contain cardholder data. You can
contract with a commercial data-storage facility or for a smaller entity,
consider a safe-deposit box. Computers, electronic media, networking and
communications hardware, telecommunication lines, paper receipts, paper reports,
and faxes are some examples that will need to be secured.
The media should be marked confidential and send the media only with a secure
courier. Do not use a system where a tracking system is not in place.
Cardholder data that leaves the facility should be signed for by an authorized
person. Strict control over the storage and accessibility of the media
should be maintained at all times.
If the cardholder data is no longer needed for business purposes, it should be
destroyed. Paper can be cross-cut, burned, or turned into pulp.
Electronic media should be purged, degaussed, or shredded so data can no longer
be accessed.
Comments
First-rate Post.
Thank you for the post.
Great story you got here. I'd like to read more about this topic.