pci_dss_v1-2 (1027411), страница 8
Текст из файла (страница 8)
Use technologies such as remoteauthentication and dial-in service(RADIUS); terminal access controlleraccess control system (TACACS) withtokens; or VPN (based on SSL/TLS orIPSEC) with individual certificates.8.3To verify that two-factor authentication isimplemented for all remote network access, observe anemployee (for example, an administrator) connectingremotely to the network and verify that both a passwordand an additional authentication item (for example, smartcard, token, PIN) are required.8.4Render all passwordsunreadable during transmission andstorage on all system components usingstrong cryptography (defined in PCI DSSGlossary of Terms, Abbreviations, andAcronyms).8.4.a For a sample of system components, examinepassword files to verify that passwords are unreadableduring transmission and storage.In PlaceNot inPlaceTarget Date/Comments8.4.b For service providers only, observe password filesto verify that customer passwords are encrypted.PCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 37PCI DSS Requirements8.5Ensure proper user authenticationand password management for nonconsumer users and administrators on allsystem components as follows:Testing ProceduresIn PlaceNot inPlaceTarget Date/Comments8.5Review procedures and interview personnel toverify that procedures are implemented for userauthentication and password management, by performingthe following:8.5.1 Control addition, deletion, andmodification of user IDs, credentials,and other identifier objects.8.5.1.aSelect a sample of user IDs, including bothadministrators and general users.
Verify that each user isauthorized to use the system according to companypolicy by performing the following: Obtain and examine an authorization form foreach ID. Verify that the sampled user IDs are implementedin accordance with the authorization form(including with privileges as specified and allsignatures obtained), by tracing information fromthe authorization form to the system.8.5.2 Verify user identity beforeperforming password resets.8.5.2Examine password procedures and observesecurity personnel to verify that, if a user requests apassword reset by phone, e-mail, web, or other non-faceto-face method, the user’s identity is verified before thepassword is reset.8.5.3 Set first-time passwords to aunique value for each user and changeimmediately after the first use.8.5.3Examine password procedures and observesecurity personnel to verify that first-time passwords fornew users are set to a unique value for each user andchanged after first use.8.5.4 Immediately revoke access forany terminated users.8.5.4Select a sample of employees terminated inthe past six months, and review current user access liststo verify that their IDs have been deactivated or removed.8.5.5 Remove/disable inactive useraccounts at least every 90 days.8.5.5 Verify that inactive accounts over 90 days old areeither removed or disabled.8.5.6 Enable accounts used byvendors for remote maintenance onlyduring the time period needed.8.5.6 Verify that any accounts used by vendors tosupport and maintain system components are disabled,enabled only when needed by the vendor, and monitoredwhile being used.8.5.7 Communicate passwordprocedures and policies to all userswho have access to cardholder data.8.5.7 Interview the users from a sample of user IDs, toverify that they are familiar with password proceduresand policies.PCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 38PCI DSS Requirements8.5.8 Do not use group, shared, orgeneric accounts and passwords.Testing ProceduresIn PlaceNot inPlaceTarget Date/Comments8.5.8.aFor a sample of system components, examineuser ID lists to verify the followingGeneric user IDs and accounts are disabled orremoved.Shared user IDs for system administration activitiesand other critical functions do not exist.Shared and generic user IDs are not used toadminister any system components.8.5.8.bExamine password policies/procedures toverify that group and shared passwords are explicitlyprohibited.8.5.8.cInterview system administrators to verify thatgroup and shared passwords are not distributed, even ifrequested.8.5.9 Change user passwords atleast every 90 days.8.5.9 For a sample of system components, obtain andinspect system configuration settings to verify that userpassword parameters are set to require users to changepasswords at least every 90 days.For service providers only, review internal processes andcustomer/user documentation to verify that customerpasswords are required to change periodically and thatcustomers are given guidance as to when, and underwhat circumstances, passwords must change.8.5.10 Require a minimum passwordlength of at least seven characters.8.5.10 For a sample of system components, obtain andinspect system configuration settings to verify thatpassword parameters are set to require passwords to beat least seven characters long.For service providers only, review internal processes andcustomer/user documentation to verify that customerpasswords are required to meet minimum lengthrequirements.PCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 39PCI DSS RequirementsTesting Procedures8.5.11 Use passwords containing bothnumeric and alphabetic characters.8.5.11 For a sample of system components, obtain andinspect system configuration settings to verify thatpassword parameters are set to require passwords tocontain both numeric and alphabetic characters.For service providers only, review internal processes andcustomer/user documentation to verify that customerpasswords are required to contain both numeric andalphabetic characters.8.5.12 Do not allow an individual tosubmit a new password that is thesame as any of the last fourpasswords he or she has used.8.5.12 For a sample of system components, obtain andinspect system configuration settings to verify thatpassword parameters are set to require that newpasswords cannot be the same as the four previouslyused passwords.For service providers only, review internal processes andcustomer/user documentation to verify that new customerpasswords cannot be the same as the previous fourpasswords.8.5.13 Limit repeated access attemptsby locking out the user ID after notmore than six attempts.8.5.13 For a sample of system components, obtain andinspect system configuration settings to verify thatpassword parameters are set to require that a user’saccount is locked out after not more than six invalid logonattempts.For service providers only, review internal processes andcustomer/user documentation to verify that customeraccounts are temporarily locked-out after not more thansix invalid access attempts.8.5.14 Set the lockout duration to aminimum of 30 minutes or untiladministrator enables the user ID.8.5.14 For a sample of system components, obtain andinspect system configuration settings to verify thatpassword parameters are set to require that once a useraccount is locked out, it remains locked for a minimum of30 minutes or until a system administrator resets theaccount.8.5.15 If a session has been idle formore than 15 minutes, require theuser to re-enter the password to reactivate the terminal.8.5.15 For a sample of system components, obtain andinspect system configuration settings to verify thatsystem/session idle time out features have been set to15 minutes or less.PCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCIn PlaceNot inPlaceTarget Date/CommentsOctober 2008Page 40PCI DSS Requirements8.5.16 Authenticate all access to anydatabase containing cardholder data.This includes access by applications,administrators, and all other users.Testing ProceduresIn PlaceNot inPlaceTarget Date/Comments8.5.16.aReview database and applicationconfiguration settings and verify that user authenticationand access to databases includes the following:All users are authenticated prior to access.All user access to, user queries of, and useractions on (for example, move, copy, delete), thedatabase are through programmatic methods only(for example, through stored procedures).Direct access or queries to databases are restrictedto database administrators.8.5.16.bReview database applications and therelated application IDs to verify that application IDs canonly be used by the applications (and not by individualusers or other processes).PCI DSS Requirements and Security Assessment Procedures, v1.2Copyright 2008 PCI Security Standards Council LLCOctober 2008Page 41Requirement 9: Restrict physical access to cardholder data.Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and toremove systems or hardcopies, and should be appropriately restricted.PCI DSS RequirementsTesting Procedures9.1Use appropriate facility entrycontrols to limit and monitor physicalaccess to systems in the cardholder dataenvironment.9.1Verify the existence of physical security controls foreach computer room, data center, and other physical areaswith systems in the cardholder data environment. Verify that access is controlled with badge readers orother devices including authorized badges and lockand key. Observe a system administrator’s attempt to log intoconsoles for randomly selected systems in thecardholder environment and verify that they are“locked” to prevent unauthorized use.9.1.1 Use video cameras or otheraccess control mechanisms to monitorindividual physical access to sensitiveareas.
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
