Saturday, May 18, 2013

Seminar Notes - Requirements 7 and 8

This information was presented by Emma Sutcliffe, Director of Standards Coordination, PCI Security Standards Council

Req 7 - Restrict access based on "Need to know"

Provide the least amount of data and privileges
Set all access to "Deny all" unless specifically needed
Base access on job classification and function
Utilize "role based access control"

Req 8 - Assign a unique ID to each person with computer access

Incorporate "Two Factor" authentication [link] for remote access
Timeouts should be set to 15 minutes or less
Render all passwords unreadable during transmission and storage

For security, employ at least one of these:

- Something you KNOW - password or pass phrase
- Something you HAVE - token devices or digital certificate smart cards
- Something you ARE - such as a biometric

Strong passwords [link]:

- Change the password at least every 90 days
- the minimum length of the password is seven characters
- Use both alpha and numeric characters
- keep the password unique - do not re-use your last 4 passwords

No comments:

Post a Comment