On March 31, 2022, the Payment Card Industry Security Standards Council (PCI SSC) released version 4.0 of the PCI DSS - the most comprehensive update to the standard since version 1.0. To help you ease the transition, in our series of posts we take a closer look at the key new features that PCI DSS v.4.0 brings. In the second part, we take a look at the new requirements for technical user handling.
What are Technical Users?
The term technical user or application or system accounts refers to user accounts that are used by systems or IT applications and are not assigned to a unique human user. These are usually user accounts that are required for IT applications to communicate with each other or with databases.
Certain technical users are used both by applications and systems and by human users. These are referred to as technical user accounts with interactive login.
Technical User in the PCI DSS
Dealing with technical users/system accounts was not explicitly addressed in past versions of the PCI DSS. However, if such accounts are successfully compromised, similar dangers arise as from compromising an account assigned to a human user. Attackers can gain the same access rights and privileges by taking over the account that would otherwise have been granted exclusively for running applications or system processes. Especially with the rapid proliferation of newer technologies, such as Infrastructure as Code, the scope of the potential impact of such compromise is also growing. As a result, organizations must ensure that security measures are as effective for technical users as they are for human user accounts. In version 4.0, therefore, the PCI DSS for the first time contains specific requirements for dealing with technical user accounts.
PCI DSS Requirements for Technical User Handling
Version 4.0 of the PCI DSS specifies some specific requirements for dealing with technical users for the first time. Essentially, these focus on measures for restricting rights, protecting passwords and logging access to (interactive) technical user accounts:
Restriction of Rights
Requirement 7.2.5
All application and system accounts and related access privileges are assigned and managed as follows:
- Based on the least privileges necessary for the operability of the system or application.
- Access is limited to the systems, applications, or processes that specifically require their use.
Requirement 7.2.5.1
All access by application and system accounts and related access privileges are reviewed as follows:
- Periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1).
- The application/system access remains appropriate for the function being performed.
- Any inappropriate access is addressed.
- Management acknowledges that access remains appropriate.
Requirement 8.6.1
If accounts used by systems or applications can be used for interactive login, they are managed as follows:
- Interactive use is prevented unless needed for an exceptional circumstance.
- Interactive use is limited to the time needed for the exceptional circumstance.
- Business justification for interactive use is documented.
- Interactive use is explicitly approved by management.
- Individual user identity is confirmed before access to account is granted.
- Every action taken is attributable to an individual user.
Password/Passphrase Protection
Requirement 8.6.2
- Passwords/passphrases for any application and system accounts that can be used for interactive login are not hard coded in scripts, configuration/property files, or bespoke and custom source code.
Requirement 8.6.3
Passwords/passphrases for any application and system accounts are protected against misuse as follows:
- Passwords/passphrases are changed periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1) and upon suspicion or confirmation of compromise.
- Passwords/passphrases are constructed with sufficient complexity appropriate for how frequently the entity changes the passwords/passphrases.
Logging of Activities Through Interactive Technical User Accounts
Requirement 10.2.1.2
- Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.
Source: PCI DSS (https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf)
Next Steps
Effective security measures to protect technical user accounts are vital for a strong IT security posture, especially against the evolving technology backdrop. In order to implement appropriate measures, a complete record and listing of all technical user accounts in use is the logical first step. Particularly for companies with extensive IT environments in which a large number of technical users are in use, even this first step and the subsequent implementation of the measures required by PCI DSS v4.0 can become a major task. Should you require support or advice in this regard, your PCI DSS auditor is available to assist you with this task.