Policies and procedures must be defined at businesses and implemented so that proper user identification management is in place for administrators and non-consumer users on all system components. This is something PCI DSS outlines.
Familiarizing yourself with the rules and regulations is imperative. You can also show your professionalism in this area by joining a relevant auditing body or association. Head to https://www.copas.org/apa-program/ for further details.
This involves the following steps:
• Before granting users access to cardholder data or system components, they must be assigned a unique ID.
• Control identifier objects.
• Access must be revoked for terminated users with immediate effect.
• Inactive user accounts must be removed or disabled within 90 days minimum.
• IDs used by vendors must be managed effectively.
• Repeated access attempts must be limited. After six attempts, the user ID must be locked out.
• Lockout duration must be set at a minimum of 30 minutes.
• Re-authentication must be required if a session has been idle for 15 minutes or more.
Understanding this requirement:
PCI DSS has put this requirement in place to help deal with misuse and resolve issues with ease. The steps mentioned ensure individual responsibility and greater transparency. How can you fulfil this?
• Assign users a unique ID – Unique identification should be ensured. This leaves an effective audit trail for each employee.
• Control identifier objects – Changes to all authentication credentials must be managed.
• Access must be revoked for terminated users with immediate effect – Failure to do this could lead to a malicious outsider accessing your systems, with ex-employees often causing damage in this instance.
• Inactive user accounts must be removed or disabled within 90 days minimum – This is vital because inactive accounts are prime targets for hackers because it is unlikely that any changes will be noticed.
• IDs used by vendors must be managed effectively – If you do not comply with this step you are increasing the chances of unauthorised access because you are granting vendors 24/7 access.
• Repeated access attempts must be limited. After six attempts, the user ID must be locked out – If you don’t lock the user ID out, a hacker could have never-ending attempts at accessing your system.
• Lockout duration must be set at a minimum of 30 minutes – The previous step will be pointless if you simply allow the user to access the system immediately after being locked out.
• Re-authentication must be required if a session has been idle for 15 minutes or more – Cardholder data and critical system components are at risk when users walk away from an open machine, which is why this step is so important.
The importance of managing and controlling access to your systems cannot be ignored. We hope that the information that has been discussed above will assist you at your business. You cannot afford to cut corners.