PCI Requirement 8.1.5 – Manage IDs Used by Third Parties to Access, Support, or Maintain System Components via Remote Access

by Randy Bartels / December 21st, 2017

Managing Third-Party Access

PCI Requirement 8.1.5 focuses on managing third-party access to your system. In situations where you’ve given user IDs to third parties so they can access, support, or maintain system components through remote access, those accounts must be monitored. PCI Requirement 8.1.5 deems that accounts used by third parties should only be enabled during the time period needed, and then disabled when not in use. When they are in use, the accounts must be monitored.

A common scenario we encounter is organizations who allow third parties to have access into their network 24/7 in case they need to provide support to the system. It’s difficult to monitor that activity 24/7, right? This is where PCI Requirement 8.1.5 tries to provide a solution for managing third-party access by requiring that access only be allowed when it’s needed. The PCI DSS explains, “Enabling access only for the time periods needed, and disabling it as soon as it is no longer needed, helps prevent misuse of these connections. Monitoring of vendor access provides assurance that vendors are accessing only the systems necessary and only during approved time frames.”

Failure of managing third-party access leads to the risk of malicious activity. The PCI DSS states, “Allowing vendors to have 24/7 access into your network in case they need to support your systems increases the chances of unauthorized access, either from a user in the vendor’s environment or from a malicious individual who finds and uses this always-available external entry point into your network.” Complying with PCI Requirement 8.1.5 equips your organization to have manageable relationships with third parties who access, support, or maintain system components through remote access.

From time to time, there might be situations where your organization needs to work with a third party in order to help manage your environment. In that situation where you have given them access into your environment and you’ve created an account for them, when these individuals are coming in from remote, we need to manage these accounts. It’s different if you have somebody that’s a third party that resides in your facility, like someone who’s providing some type of staffing authentication versus a vendor that comes in once a month. In these situations, you still need to manage these accounts.

When we look specifically at this requirement, it says that we need to monitor these accounts at all times, so we need to be monitoring these activities. We need to enable these accounts only when they’re going to be in use. If you as an organization have somebody that’s supporting your environment and you say, “Jeff, we leave these accounts on 24 hours a day because we never know when they’re going to need to get into to support these environments.” I realize that might be a struggle for you to monitor these activities. But in those types of situations, you need to find a way to disable these accounts and re-enable them only when they’re necessary, so that these individuals only have access to these environments as well.

I’m going to call out PCI Requirement 8.1.3 here (we’re not going to talk about it fully), but if these individuals that are coming into your environment by authenticating from remote to support your environment, or these third parties that are coming into your environment, or specifically if they are coming into your environment for administrative purposes or coming into your cardholder data environment at all, there is a factor that they use two-factor authentication. There might be some ways that you can maintain control or physical access over that two-factor authentication by providing that for authentication when they need it. Work with your assessor on methods and means for meeting this obligation. Effectively, if an account is not needed at the immediate period of time, that account needs to be disabled.

Just as an interesting point of conversation, I’ve had a lot of opportunities to work with card brands (Visa, Mastercard, JCB, Discover) and I always ask them, “What are the things that permit the bad guys from getting into the environment from a hacker’s perspective?” They said that the number one cause of individuals getting hacked is allowing accounts like these to be left open and the passwords somehow getting compromised. If I can provide you any bit of guidance or recommendation, make sure that this particular control is managed appropriately.