PCI Requirement 8.5.1 – Additional Requirement for Service Providers Only:

by Randy Bartels / December 21st, 2017

Service Providers with Remote Access to Customer Premises Must Use Unique Authentication Credential for Each Customer

Multiple Customers, Multiple Authentication Credentials

The PCI DSS has several requirements that are specific to service providers, including PCI Requirement 8.5.1, which states, “Service providers with remote access to customer premises must use a unique authentication credential for each customer.” PCI Requirement 8.5.1 prevents the compromise of multiple customers through the use of a single set of authentication credentials; if a malicious individual compromises an account, they could compromise more if only one authentication credential is used.

The PCI DSS also notes, “This requirement is not intended to apply to shared hosting providers accessing their own hosting environment, where multiple customer environments are hosted.

The PCI DSS has several requirements that are specific to service providers. If your organization is a service provider, you need to use unique authentication credentials for each of your customers. This means that if you have five clients, you use unique authentication credentials for each one. The purpose and intent behind this is if Hacker Joe is able to compromise Account 1, we want to prevent him from compromising Accounts 2, 3, 4, and 5. To limit this type of vulnerability, it’s required that you use unique authentication credentials for each customer.

From an assessment perspective, this entails examining your policies and procedures, and interviewing staff so that we understand that they understand what’s required about using unique authentication credentials.