[PCI DSS 1.x] 10.2 5 Use of identification and authentication mechanisms

10.2.5 Use of identification and authentication mechanisms

What are “identification and authentication mechanisms”? I have seen them defined as [FONT=Helv][SIZE=2]“two factor” authentication devices, such as [FONT=Helv][SIZE=2]key fobs or tokens with programmed passwords that change every 60 seconds, or biometric devices, but I am being told that it also includes server-based logon validation. To me, that seems to be the event covered in 10.2.4, and that 10.2.5 is refering to specialized electronic devices used to verify identity.

Hello trrisberg,

10.2.5  is not a requirement for "two factor" auth but a requirement for requiring identification and authentication for ALL/ANY system access and ALL system access/use being auditable  to a uniquely identifiable user when something does go wrong.



Still confused by the requirement

Under 10.2.4 we have to log any invalid access attempts to system components, presumably failed logons to servers with card data

What does 10.2.5 include. Does it only include logging of access via our RSA server (which we use for remote access)

Please could you help, many thanks


10.2.5 covers “authentication”, presumably both failed and successful.

But “invalid access attempts” in 10.2.4 would include a valid (for some meaning of the term “valid”) user attempting to access something to which they are not permitted access. Presuming data is properly secured, a trail of failed access attempts might indicate an attack in progress. (It also might indicate an improperly written application, but that is worth addressing also, if only to cut down on the audit noise.)

AD behind CHD env.

Can I use Windows AD server that is outside of CHD network (behind firewall) to provide identification and authentication mechanisms for users and servers within CHD environment?

10.2.5 says that the requirement depends on the authentication mechanism you are using. Assuming that you just use plain Solaris it is covered by the lo class, and if you use Kerberos you need the ap class too.

Yes, but the AD would then fall into the CHD environment and thus would need to meet all the PCI DSS requirements. It may also make the entire network the AD is in fall into the CHD environment. A better way may be to have a separate AD in the CHD environment that has a trust relationship with the primary AD and can pull credential info in as needed.


So if I interperate 10.2.5 correctly, you can accomplish this by having all computers log into AD and keeping a log of this?
Or does this mean that ALL machines must have the local security settings changed to log “log in and log out” events?