• Home
• Products
• Solutions
• Compliance
• Videos
• Downloads
• Buy
• Contact
• About Us

• Introduction
• UK DPA
• WEEE
• DDA
• ISO 27001
• PCI DSS
• Protect Data (PCI)
• Access Control (PCI)
• Security Policy (PCI)

PCI DSS Specification Requirements 7 8 & 9 Implementing Strong Access Control

Requirement 8: Assign a unique ID to each person with computer access.
Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for his or her actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.

Requirement 8.1: Assign all users a unique ID before allowing them to access system components or stored cardholder data.
All SafeTok devices contain, by default, a unique serial number.
This unique serial number is linked to the registered user when the SafeTok device is first registered.
Because the serial number is unique and linked to the fingerprint recognition system an organization which has deployed SafeTok can establish and maintain individual responsibility for actions and create an effective audit trail per employee.
This will help speed issue resolution and containment when misuse or malicious intent occurs.

Requirement 8.2: In addition to assigning a unique, trackable ID, employ at least one of the following methods to authenticate all users:
User name and Password
Two-factor authentication (for example, token devices, smart cards, biometrics, or public keys)

SafeTok provides three factor authentication:
What you know - Username and password.
What you have - A USB pen drive (biometric or non biometric)
Who you are - Fingerprint recognition (biometric only)

Requirement 8.3: Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties.
SafeTok integrates into web based remote access and authentication solutions providing all three authentication factors for higher-risk accesses originating from outside your network.

Requirement 8.4: Render all passwords unreadable during transmission and storage on all system components using strong cryptography.
SafeTok provides this by default.

Requirement 8.5: Ensure proper user authentication and password management for non-consumer users and administrators on all system components as follows:

Requirement 8.5.1: Control addition, deletion, and modification of user IDs, credentials, and other identifier objects.
Whenever a SafeTok device is plugged into a Windows machine with an internet connection it checks its current status to ensure its registered user is a valid and recognized user. The addition, deletion, and modification of a devices status is exclusively managed and controlled by a person or department with this specific responsibility.

Requirement 8.5.2: Verify user identity before performing password resets.
Malicious individuals use social engineering techniques, for example, calling a help desk and acting as a legitimate user, in order to initiate a password change. SafeTok biometric provides complete protection against fraudulent password reset requests by forcing the person making the request to positively identify themselves.

Requirement 8.5.3: Set first-time passwords to a unique value for each user and change immediately after the first use.SafeTok eliminates the need to issue a standard or default password that is used to set up every new user.

Requirement 8.5.4: Immediately revoke access for any terminated users.
If an employee has left the company, and still has access to the network via their user account, unnecessary or malicious access to cardholder data could occur. HR can immediately deactivate SafeTok devices whether the device is on the premises or is in the possession of a remote user.

Requirement 8.5.5: Remove/disable inactive user accounts at least every 90 days.
Existence of inactive accounts allows an unauthorized user to exploit the unused account to potentially access cardholder data. SafeTok protects against this threat by enforcing biometric authentication and frequent re-authentication.

Requirement 8.5.6: Enable accounts used by vendors for remote maintenance only during the time period needed.
SafeTok can allow vendors and consultants to securely access your network to provide support and test systems on a short term basis.
Please also see Requirement 12.3.8 and 12.3.9.

Requirement 8.5.7: Communicate password procedures and policies to all users who have access to cardholder data.
SafeTok SafeShow provides an auditable way to communicate password procedures and policies to all users at log in. SafeShow helps these users to understand why security is important, explain the latest threats and encourage compliance with your security policies.
SafeTok helps non technical users to be alert for any malicious individuals who may attempt to exploit their passwords to gain access to cardholder data (for example, by calling an employee and asking for their password so the caller can "troubleshoot a problem").

Requirement 8.5.8: Do not use group, shared, or generic accounts and passwords.

Requirement 8.5.9: Change user passwords at least every 90 days.

Requirement 8.5.10: Require a minimum password length of at least seven characters.

Requirement 8.5.11: Use passwords containing both numeric and alphabetic characters.

Requirement 8.5.12: Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used.
SafeTok positively identifies an individual by their fingerprint before it authenticates them to access any IT resources protected by SafeTok. SafeTok effectively makes user names and passwords redundant. However SafeTok can happily coexist with systems which require user names and passwords if required and will help to reduce the password overhead on your IT department, improve user productivity and significantly improve security

Requirement 8.5.13: Limit repeated access attempts by locking out the user ID after not more than six attempts.

Requirement 8.5.14: Set the lockout duration to a minimum of 30 minutes or until administrator enables the user ID.
SafeTok eliminates the bulk of password related issues. SafeTok biometric can be configured to deactivate itself, either temporarily or permanently, if a preset number of fingerprint swiping attempts are made without a positive identification.
SafeTok can also be configured to recognize a second fingerprint as an "under duress" access attempt which can be used to trigger a security alert.

Requirement 8.5.15: If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal.
When SafeTok users remove their SafeTok drive from a system the machine is immediately locked and requires a valid SafeTok device and a valid fingerprint swipe to unlock the terminal.
SafeTok can be configured to ask for fingerprint re-authentication either based on elapsed time since last authentication or based on the data the terminal user is trying to access.