PCI Requirement 8.2 – Ensure Proper User-Authentication Management by Something You Know

PCI Requirement 8.2 adds an additional layer of security to user IDs by requiring something you know, something you have, or something you are. It states, “In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users: something you know (such as a password or passphrase), something you have (such as a token device or smart card), something you are (such as a biometric).”
Understanding proper user-authentication management is easier than you might think. How many times have you entered a PIN after swiping your debit card this week? Your PIN is something you know. Has a website ever texted your phone a one-time password in order to gain access? That one-time password is something you have. Do you use a scan of your fingerprint to unlock your smartphone? Your fingerprint is something you are. The PCI DSS explains, “These authentication methods, when used in addition to unique IDs, help protect users’ IDs from being compromised, since the one attempting the compromise needs to know both the unique ID and the password (or other authentication used).”
To verify compliance with PCI Requirement 8.2, an assessor needs to examine the documentation that describes your organization’s authentication methods, then observe that the methods described on consistent with your system.
Stay Connected

More Free Resources

About Us
KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks.