© 2010 The PowerTech Group, Inc.
All Rights Reserved
Assign a unique ID to each person with computer access. This ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.
PowerTech Compliance Monitor provides comprehensive capabilities for reporting on the integrity of user profiles on System i servers, including:
Changes to user profiles
Password and sign-on system values
Users can also customize their own specific reports.
PowerTech's professional services team can help you to quickly implement Single Sign-On (SSO) between Windows and System i. The solution is based on the Enterprise Identity Mapping architecture, which is included natively in OS/400 V4R2 and i5/OS. Once SSO is in place, you can even eliminate passwords. The PowerTech EasyPass product simplifies the configuration and maintenance of the Single Sign-On environment.
8.1 - Assign all users with a unique username before allowing them to access system components or cardholder data.
8.2 - In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users:
Password or passphrase
Two-factor authentication (for example, token devices, smart cards, biometrics, or public keys)
8.4 - Render all passwords unreadable during transmission and storage on all system components using strong cryptography.
8.5 - Ensure proper user authentication and password management for non-consumer users and administrators, on all system components:
8.5.1 - Control the addition, deletion, and modification of user IDs, credentials, and other identifier objects.
PowerTech recommended report: Changes to User Profiles
8.5.2 - Verify user identity before performing password resets.
8.5.3 - Set first-time passwords to a unique value per user and change immediately after first use.
PowerTech recommended report: Default Passwords
8.5.4 - Immediately revoke access for any terminated users.
PowerTech recommended report: Inactive Profiles
8.5.5 - Remove/disable inactive user accounts at least every 90 days.
PowerTech recommended report: Inactive Profiles
8.5.6 - Enable accounts used by vendors for remote maintenance only during the time period needed.
PowerTech recommended report: All Profiles
8.5.7 - Distribute password procedures and policies to all users who have access to cardholder information.
8.5.8 - Do not use group, shared, or generic accounts/passwords.
PowerTech recommended report: Default Passwords
8.5.9 Change user passwords at least every 90 days.
PowerTech recommended security system value setting: QPWDEXPITV = 90
8.5.10 - Require a minimum password length of at least seven characters.
Note: Most other standards recommend only at least six characters.
PowerTech recommended security system value setting: QPWDMINLEN=7
8.5.11 - Use passwords containing both numeric and alphabetic characters.
PowerTech recommended security system value setting: QPWDRQDDGT=1
8.5.12 - Do not allow an individual to submit a new password that is the same as any of the last four passwords used by that individual.
PowerTech recommended security system value setting: QPWDRQDDIF = 8 (LAST 4)
8.5.13 - Limit repeated access attempts by locking out the user ID after not more than six attempts.
PowerTech recommended security system value setting: QMAXSIGN = 6
PowerTech recommended security system value setting: QMAXSGNACN = 2
8.5.14 - Set the lockout duration to thirty minutes or until administrator enables the user ID.
8.5.15 - If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal.
PowerTech recommended security system value setting: QINACTITV=15
QINACTMSGQ SHOULD BE SET TO A MESSAGE QUEUE MONITORED BY POWERTECH SECURESCREEN.
8.5.16 - Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users.
© Payment Card Industry (PCI) Data Security Standard v 1.2
Release: October, 2008
© 2010 The PowerTech Group, Inc.
All Rights Reserved