PCI Requirement 6.5.8 – Improper Access Control

PCI Requirement 6.5.8 states that your organization’s applications are protected from improper access control, such as insecure direct object references, failure to restrict URL access, directory traversal, and failure to restrict user access to functions. PCI Requirement 6.5.8 applies to all of your organization’s web applications, internal application interfaces, and external application interfaces. Web applications, the PCI DSS states, have unique security risks as well as relative ease and occurrence of compromise.
The PCI DSS outlines four types of improper access control. Insecure direct object references occur when a developer exposes a reference to an internal implementation object as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization. Failure to restrict URL access can prohibit an application from protecting sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly. Directory traversal could be enumerated or navigated by an attacker, thus gaining access to unauthorized information as well as gaining further insight into the workings of the site for later exploitation. Failure to restrict user access to functions permits access to unauthorized functions, which could result in unauthorized individuals gaining access to privileged credentials or cardholder data. Only authorized users should be permitted to access direct object references to sensitive resources.
In order to comply with PCI Requirement 6.5.8, your organization’s policies and procedures must address proper authentication of users, sanitizing input, not exposing internal object references to users, and user interfaces that do not permit access to unauthorized functions. To verify your compliance with PCI Requirement 6.5.8, an assessor review these policies and procedures and interview the responsible personnel to ensure that your development process protects your applications from improper access control.
Stay Connected

More Free Resources

About Us
KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks.