[PCI DSS 1.x] 10.2 5 Use of identification and authentication mechanisms

pcinetwork · March 18, 2007, 7:27am

10.2.5 Use of identification and authentication mechanisms

trrisberg · July 6, 2007, 7:56pm

What are “identification and authentication mechanisms”? I have seen them defined as [FONT=Helv][SIZE=2]“two factor” authentication devices, such as [FONT=Helv][SIZE=2]key fobs or tokens with programmed passwords that change every 60 seconds, or biometric devices, but I am being told that it also includes server-based logon validation. To me, that seems to be the event covered in 10.2.4, and that 10.2.5 is refering to specialized electronic devices used to verify identity.
[/SIZE][/FONT][/SIZE][/FONT]

dkk · July 11, 2007, 11:04pm

Hello trrisberg,

10.2.5  is not a requirement for "two factor" auth but a requirement for requiring identification and authentication for ALL/ANY system access and ALL system access/use being auditable  to a uniquely identifiable user when something does go wrong.

HTH,

Dan

David_Marsh · January 8, 2009, 4:11pm

Still confused by the requirement

Under 10.2.4 we have to log any invalid access attempts to system components, presumably failed logons to servers with card data

What does 10.2.5 include. Does it only include logging of access via our RSA server (which we use for remote access)

Please could you help, many thanks

David

LJKSoftware · June 14, 2009, 5:06am

10.2.5 covers “authentication”, presumably both failed and successful.

But “invalid access attempts” in 10.2.4 would include a valid (for some meaning of the term “valid”) user attempting to access something to which they are not permitted access. Presuming data is properly secured, a trail of failed access attempts might indicate an attack in progress. (It also might indicate an improperly written application, but that is worth addressing also, if only to cut down on the audit noise.)

rk3745 · August 31, 2009, 5:31pm

AD behind CHD env.

Can I use Windows AD server that is outside of CHD network (behind firewall) to provide identification and authentication mechanisms for users and servers within CHD environment?

jycegrcia · April 22, 2010, 10:52am

10.2.5 says that the requirement depends on the authentication mechanism you are using. Assuming that you just use plain Solaris it is covered by the lo class, and if you use Kerberos you need the ap class too.

Roger_Nebel · May 13, 2010, 3:08pm

Yes, but the AD would then fall into the CHD environment and thus would need to meet all the PCI DSS requirements. It may also make the entire network the AD is in fall into the CHD environment. A better way may be to have a separate AD in the CHD environment that has a trust relationship with the primary AD and can pull credential info in as needed.

Spline64 · May 25, 2011, 5:46pm

Hello,

So if I interperate 10.2.5 correctly, you can accomplish this by having all computers log into AD and keeping a log of this?
Or does this mean that ALL machines must have the local security settings changed to log “log in and log out” events?

thanks,
Spline64