How UserLock and File Audit can help your organisation become PCI DSS compliant
PCI DSS Requirement 7: Restrict access to cardholder data by business know how
"To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need-to-know and according to job responsibilities. Need to know is when access rights are granted to only the least amount of data and privileges needed to perform a job."
PCI DSS Condition 8:
Assign a unique ID to each person
with computer access
"Assigning a unique identification (ID) to each person with access ensures their actions taken on critical data and systems and performed by, and can be traced to, known and authorized users."
Makes access controls more robust and enhances their effectiveness to verify a user's identity.
Do your employees need to log in to access your network and do they do so with unique login credentials?
Ensures that nobody can log in to the system without uniquely identifiable credentials.
Do you restrict users from sharing logins?
Prevents concurrent logins with the same set of user credentials — helping to eradicate dangerous password sharing practices and stop unauthorized access.
Can you attribute actions on the network to individual users?
Helps administrators verify all users’ identity at any time, making users accountable for any activity — malicious or otherwise.
Do you enforce the secure use of passwords?
Strengthens unique network login credentials with context-aware access restrictions and user reminders, which help verify that a person seeking access to the network and the information within is genuinely who they say they are.
PCI DSS Condition 10:
Track and monitor all access to network resources and cardholder data
"Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a
compromise is very difficult, if not impossible, without system activity logs."