Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for their actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users and processes.
The effectiveness of a password is largely determined by the design and implementation of the authentication system—particularly, how frequently password attempts can be made by an attacker, and the security methods to protect user passwords at the point of entry, during transmission, and while in storage.
Note:
Section | PCI Requirement | Comments | Responsibilities on Artsman Cloud |
8.1 | Define and implement policies and procedures to ensure proper user identification management for non- consumer users and administrators on all system components as follows: | Theatre Manager implements PCI standards. You may need a manual process for other applications or hardware. | Customer: via Theatre Manager |
8.1.1 | Assign all users a unique ID before allowing them to access system components or cardholder data. | ||
8.1.2 | Control addition, deletion, and modification of user IDs, credentials, and other identifier objects. | ||
8.1.3 | Immediately revoke access for any terminated users. | ||
8.1.4 | Remove/disable inactive user accounts within 90 days. | Refer to the PCI Security Tab in System Preferences for settings. Theatre Manager enforces stronger password policies than the minimum PCI standards. | |
8.1.5 | Manage IDs used by vendors to access, support, or maintain system components via remote access as follows:
|
Theatre Manager uses Teamviewer for one-time access, granted as needed. | |
8.1.6 | Limit repeated access attempts by locking out the user ID after not more than six attempts. | Theatre Manager limits incorrect password attempts to a total of 6 since the last successful attempt and locks out the account on failure. | |
8.1.7 | Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID. | Lockout duration in Theatre Manager is permanent. Locked out employee must be re-instated by administrator. | |
8.1.8 | If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session. |
Theatre Manager has two timeouts. After 15 minutes of inactivity, the user will see a lock screen and need only put in their password again to continue.
There is a longer timeout in Company Preferences->Reports where you can specify when an idle user will be forced log off the system. The process is:
|
|
8.2 | In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users:
|
Customer: password via Theatre Manager, tokens and biometrics for Operating System login | |
8.2.1 | Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components. |
Passwords are never transmitted in clear text when logging on to the database.
User Passwords are stored in the database in encrypted format and established in PostgreSQL as a hash of that encrypted value. When a user logs in, the password is converted to the salted hash and that is used to login. All communication to the PostgreSQL Database is over a secure connection, currently TLS 1.2 or better. |
automatic via Theatre Manager |
8.2.2 | Verify user identity before modifying any authentication credential—for example, performing password resets, provisioning new tokens, or generating new keys. | Only administrators are able to reset a password, reinstate an employee and/or regenerate credit card encryption keys. | automatic via Theatre Manager |
8.2.3 | Passwords/phrases must meet the following:
|
Theatre Manager enforces
|
automatic via Theatre Manager |
8.2.4 | Change user passwords/passphrases at least once every 90 days. | Theatre Manager enforces this | Customer: follow Theatre Manager prompts to change password |
8.2.5 | Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases he or she has used. | Theatre Manager enforces 12 and that can be raised | automatic via Theatre Manager |
8.2.6 | Set passwords/phrases for first- time use and upon reset to a unique value for each user, and change immediately after the first use. | Theatre Manager enforces change of password at time of login for first time users | automatic via Theatre Manager |
8.3 | Incorporate two-factor authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties, (including vendor access for support or maintenance).
Note: Two-factor authentication requires that two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered two-factor authentication. Examples of two-factor tehcnologies include remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens, and other technologies that facilitate two-factor authentication. |
Two factor authentication means something you know and something you are given. Our QSA (the auditor who assesses Theatre Manager's ability to meet PCI compliance) has indicated that Teamviewer meets that requirement when used per the instructions. The multiple factors include:
|
automatic via Theatre Manager |
8.4 | Document and communicate authentication policies and procedures to all users including:
|
All Theatre Manager user passwords are encrypted in the database. MD5 authentication is recommended at a minimum for accessing the database (this is the default standard in the pg_hba.conf file) | automatic via Theatre Manager |
8.5 | Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows:
|
There are no generic passwords. User ID's and Passwords are created by the user on installation. | automatic as part of Theatre Manager installation practices |
8.5.1 | Additional requirement for service providers only: Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.
Note: This requirement is not intended to apply to shared hosting providers accessing their own hosting environment, where multiple customer environments are hosted. |
Arts Management does not require permanent remote access to your servers. Temporary access is always initiated by the customer as described in the teamviewer remote support help page. | Customer: provides Local access via Teamviewed if required |
8.6 | Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.), use of these mechanisms must be assigned as follows:
|
Artsman: cloud
Customer: workstation |
|
8.7 | All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows:
|
Access to the db is controlled by the pg_hba.conf file and it is set so that all users must log in to read data. The user's id for the database is set by the application and not known. The password in postgres is set by the application and stored encrypted. Thus, the user cannot access the database even knowing their user ID and password because it is not the same as plain-text. Cloud database access for users is managed through an access broker system (with revokable tokens) followed by customer user id/password |
Artsman: cloud
Customer: workstation |
8.8 | Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties. |
Artsman: cloud
Customer: workstation |