Java Reference
In-Depth Information
view of access control implementation that should be in place for an organization handling
cardholder information. It must be noted that although the requirement states that it is for
individuals with
computer access
, it also applies to individuals who have access to applications.
he PA-DSS (Payment Application Data Security), the subset of the PCI-DSS, also states
that the same requirements need to be implemented for an application that is part of the
authorization and settlement function of a card transaction. he requirement speciies the
following:
◾
Each individual with access to the environment needs to possess a unique ID and one of the
factors of authentication along with the unique ID, which could be either a password (what
the user knows) or an authentication token (what the user has).
he requirement also speciies that all passwords have to be encrypted during transmission
◾
and storage, using strong cryptography. With reference to Web applications, the most com-
mon implementation for encrypted transmission is the use of SSL/TLS, which has been
dealt with extensively in Chapter 8. Passwords can be encrypted and stored a ile or a data-
base, based on the organization's requirement. Encryption techniques for the same have
been dealt with in Chapter 8.
he rest of the requirement delves speciically into password policies and practices that need
◾
to be followed for an environment storing/processing or transmitting cardholder informa-
tion. Some of the relevant practices mentioned by the standard are as follows:
he standard requires irst-time passwords to be set to a unique value, which is to be
−
changed at the time of the irst login by the user. he same process may be replicated in
case of password resets as well.
he application should also facilitate the termination or suspension of user accounts.
−
his is especially beneicial for administrative accounts/corporate user accounts of a Web
application, as they can have access to a great deal of sensitive information. he standard
also requires the deletion of inactive user accounts every 90 days.
Password practices are an important aspect of this requirement. he standard requires
−
a minimum password length of seven characters, with alphanumeric characters. he
standard also mandates a password expiration period of a maximum of 90 days and a
password history of four passwords remembered.
Password lockouts and resets are also included as part of the requirement. he Standard
−
mandates that user accounts should be locked out after a maximum of six invalid access
attempts. he lockout duration required by the standard is a minimum of 30 minutes or
until the administrator enables the account.
Session idle time is to be set to a maximum of 15 minutes according to the PCI-DSS.
−
Requirement 6 of the PCI-DSS and Requirement 5 of the PA-DSS also specify the OWASP
◾
Top 10 Web Application Security Best Practices, which require the organization's Web
applications to be protected against Web application attacks like session ixation and cross-
site request forgery.
Search WWH ::
Custom Search