SecureAuth IEP
Meets PCI DSS Requirements

Easily Meet PCI DSS Requirements with SecureAuth’s Identity Enforcement Platform

The goal of the Payment Card Industry (PCI) Data Security Standard (DSS) is simple; protect cardholder account data. To achieve this, the PCI Security Standards Council (SSC) has gained endorsement of the PCI-DSS by the five major payment card brands: Visa’s Cardholder Information Security Program (CISP), MasterCard, Discover Financial Services, American Express, and JCB International. The PCI DSS is a set of security requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Any organization that handles cardholder data must be PCI DSS compliant or risk audits, fines or the loss of the right to process payments via credit or debit card. If your organization handles credit card data you need to comply with the PCI DSS to avoid hefty fines but—more importantly— reduce the risk of a devastating data breach.

SecureAuth Delivers Secure, Simple Access that Meets or Exceeds PCI DSS Requirement 8

SecureAuth is an Identity Enforcement Platform (IEP) that secures and simplifies access to every cloud, VPN, and web resource from the office, stores, warehouses, or remotely from mobile devices with integrated Authentication, SSO, and IdM Services. SecureAuth solutions help organizations meet or exceed all of PCI DSS Requirement 8 – User Access, including the key requirements for access to external connections into the networks and connections to and from the authorization and settlement environment.

• Requirement 8.1: Identify all users with a unique user name
• Requirement 8.2: Employ at least one method of authentication
• Requirement 8.3: Implement two-factor authentication for remote access
• Requirement 8.4: Encrypt all passwords during transmission and storage on all systems
• Requirement 8.5: Ensure proper user authentication and password management

SecureAuth Highlights for PCI DSS Requirements

PCI DSS Requirement 8.1

Calls for organizations to identify all users with a unique user name before allowing them to access system components or cardholder data.

SecureAuth creates a secure, unique user credential that is mapped to an enterprise UserID.

PCI DSS Requirement 8.2

Mandates that organizations employ at least one method of authentication: passwords, token devices, certificates, public keys, or biometrics.

The SecureAuth credential is utilized to securely identify and authenticate the user. The UserID is in the SecureAuth credential presented upon attempted access by the end-user

PCI DSS Requirement 8.3

Mandates that organizations must implement two-factor authentication for remote access to the network by employees, administrators, and third parties. You must use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens or a VPN (based on SSL/TLS or IPSEC) with individual certificates.

SecureAuth VPN authentication works in conjunction with a VPN appliance to authenticate a user with a securely delivered X.509 credential which meets the 8.5 PCI DSS requirement of an “individual certificate”. The VPN is configured to utilize a password plus certificate for authentication, thus enabling true 2-factor authentication. The user must have the SecureAuth certificate and input the password associated with the user’s account

PCI DSS Requirement 8.4

Mandates that organizations must encrypt all passwords during transmission and storage on all system components.

SecureAuth doesn’t require its own user credential and password data store. To ensure the security of all passwords, SecureAuth utilizes the directory (Active Directory, ADAM, LDAP, etc.) that the VPN or web application is using natively. This meets PCI DSS Requirement 8.4 and an organization doesn’t have to create, sync, and encrypt an additional set of data information.

PCI DSS Requirement 8.5

Mandates that organizations must ensure proper user authentication and password management for non-consumer users and administrators on all system components.

• The SecureAuth appliance is administered via a secure GUI. All administrators are required to authenticate via strong 2-factor, SecureAuth authentication (certificate plus UserID/password).
• Administration accounts are uniquely created and associated with individual accounts, so configuration modifications are associated with specific administrators.
• SecureAuth requires end-users to perform a 2-factor authentication (certificate + password) before they are allowed to modify their passwords.
• SecureAuth works in conjunction with VPNs and web applications for resetting the password on first usage.
• SecureAuth is unique among X.509 authentication solutions in that it provides instant revocation by checking the data store of record to ensure that the user is still in existence. This facilitates one-button revocation.
• SecureAuth can set its credentials for any time period. An enterprise can set the SecureAuth credential to be 90 days or less, thereby forcing users to re-authenticate every 90 days.
• SecureAuth has a configurable certificate length that can be set in accordance to security and resource requirements.
• SecureAuth is a user self-enrollment product that walks an end-user through a simple process to obtain a secure credential. Additionally, the product utilizes an organization’s data store, which allows it to follow an organization’s existing policies.
• SecureAuth’s unique self-enrollment for X.509 credentials makes sharing of the certificate impossible without having access to the user’s machine, as well as access to their user name and password information.
• SecureAuth requires the end-user to change his or her security credential based on policy - every 90 days or whatever time period an organization determines. The SecureAuth authentication credential can be set from 1 hour to 10 years. SecureAuth enables an organization to meet the requirement today, but also to adjust accordingly if this requirement changes
• SecureAuth utilizes an organization’s data store. Whatever policy for password length, use of both numeric and alphabetic character, password re-use, an organization sets is enforced by the SecureAuth appliance during certificate enrollment.
• SecureAuth has a lock-out feature for registration. The default for this configurable feature is three attempts. In accordance with requirement 8.5.14 accounts can be locked out for a given time period. This is configurable in the data store that SecureAuth uses.
• SecureAuth relies on VPN and web application settings for session duration and session idle enforcement.
• The policies for database access contained in an organization’s data store can be used for SecureAuth with no additional effort.

To learn why SecureAuth Corporation is the ideal choice for the most challenging PCI DSS requirements, check out SecureAuth IEP in more detail.