Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
33 Cards in this Set
- Front
- Back
|
Requirement 7.1 |
Limit access to systemcomponents and cardholder data toonly those individuals whose jobrequires such access. |
|
|
Requirement 7.1.1 |
Define access needs foreach role, including: System components and dataresources that each roleneeds to access for their jobfunction Level of privilege required (forexample, user, administrator,etc.) for accessing resources. |
|
|
Requirement 7.1.2 |
Restrict access to privilegeduser IDs to least privilegesnecessary to perform jobresponsibilities |
|
|
Requirement 7.1.3 |
Assign access based onindividual personnel’s jobclassification and function. |
|
|
Requirement 7.1.4 |
Require documentedapproval by authorized partiesspecifying required privileges. |
|
|
Requirement 7.2 |
Establish an access controlsystem for systems components thatrestricts access based on a user’sneed to know, and is set to “deny all”unless specifically allowed.This access control system mustinclude the following: 7.2.1 - 7.2.3 |
|
|
Requirement 7.2.1 |
Coverage of all systemcomponents |
|
|
Requirement 7.2.2 |
Assignment of privileges toindividuals based on jobclassification and function. |
|
|
Requirement 7.2.3 |
Default “deny-all” setting. |
|
|
Requirement 7.3 |
Ensure that security policies andoperational procedures for restrictingaccess to cardholder data aredocumented, in use, and known toall affected parties. |
|
|
Requirement 8.1 |
Define and implement policies andprocedures to ensure proper useridentification management for nonconsumerusers and administrators on allsystem components as follows: 8.1.1 - 8.1.8 |
|
|
Requirement 8.1.1 |
Assign all users a unique IDbefore allowing them to access systemcomponents or cardholder data. |
|
|
Requirement 8.1.2 |
Control addition, deletion, andmodification of user IDs, credentials,and other identifier objects. |
|
|
Requirement 8.1.3 |
Immediately revoke access forany terminated users. |
|
|
Requirement 8.1.4 |
Remove/disable inactive useraccounts within 90 days. |
|
|
Requirement 8.1.5 |
Manage IDs used by vendors toaccess, support, or maintain systemcomponents via remote access asfollows: Enabled only during the timeperiod needed and disabled whennot in use. Monitored when in use. |
|
|
Requirement 8.1.6 |
Limit repeated access attemptsby locking out the user ID after notmore than six attempts. |
|
|
Requirement 8.1.7 |
Set the lockout duration to aminimum of 30 minutes or until anadministrator enables the user ID. |
|
|
Requirement 8.1.8 |
If a session has been idle formore than 15 minutes, require the userto re-authenticate to re-activate theterminal or session. |
|
|
Requirement 8.2 |
In addition to assigning a unique ID,ensure proper user-authenticationmanagement for non-consumer usersand administrators on all systemcomponents by employing at least one ofthe following methods to authenticate allusers: Something you know, such as apassword or passphrase Something you have, such as atoken device or smart card Something you are, such as abiometric. |
|
|
Requirement 8.2.1 |
Using strong cryptography,render all authentication credentials(such as passwords/phrases)unreadable during transmission andstorage on all system components. |
|
|
Requirement 8.2.2 |
Verify user identity beforemodifying any authenticationcredential—for example, performingpassword resets, provisioning newtokens, or generating new keys |
|
|
Requirement 8.2.3 |
Passwords/phrases must meetthe following: Require a minimum length of atleast seven characters. Contain both numeric andalphabetic characters.Alternatively, the passwords/phrasesmust have complexity and strength atleast equivalent to the parametersspecified above. |
|
|
Requirement 8.2.4 |
Change userpasswords/passphrases at least onceevery 90 days. |
|
|
Requirement 8.2.5 |
Do not allow an individual tosubmit a new password/phrase that isthe same as any of the last fourpasswords/phrases he or she hasused. |
|
|
Requirement 8.2.6 |
Set passwords/phrases for firsttimeuse and upon reset to a uniquevalue for each user, and changeimmediately after the first use. |
|
|
Requirement 8.3 |
Incorporate two-factor authenticationfor remote network access originatingfrom outside the network by personnel(including users and administrators) andall third parties, (including vendor accessfor support or maintenance). |
|
|
Requirement 8.4 |
Document and communicateauthentication policies and procedures toall users including: Guidance on selecting strongauthentication credentials Guidance for how users shouldprotect their authenticationcredentials Instructions not to reuse previouslyused passwords Instructions to change passwords ifthere is any suspicion the passwordcould be compromised. |
|
|
Requirement 8.5 |
Do not use group, shared, or genericIDs, passwords, or other authenticationmethods as follows: Generic user IDs are disabled orremoved. Shared user IDs do not exist forsystem administration and othercritical functions. Shared and generic user IDs are notused to administer any systemcomponents. |
|
|
Requirement 8.5.1 |
Additional requirement forservice providers only: Serviceproviders with remote access tocustomer premises (for example, forsupport of POS systems or servers)must use a unique authenticationcredential (such as a password/phrase)for each customer. |
|
|
Requirement 8.6 |
Where other authenticationmechanisms are used (for example,physical or logical security tokens, smartcards, certificates, etc.), use of thesemechanisms must be assigned asfollows: Authentication mechanisms must beassigned to an individual accountand not shared among multipleaccounts. Physical and/or logical controls mustbe in place to ensure only theintended account can use thatmechanism to gain access. |
|
|
Requirement 8.7 |
All access to any databasecontaining cardholder data (includingaccess by applications, administrators,and all other users) is restricted asfollows: All user access to, user queries of,and user actions on databases arethrough programmatic methods. Only database administrators havethe ability to directly access or querydatabases. Application IDs for databaseapplications can only be used by theapplications (and not by individualusers or other non-applicationprocesses). |
|
|
Requirement 8.8 |
Ensure that security policies andoperational procedures for identificationand authentication are documented, inuse, and known to all affected parties. |
