I had a customer ask me if they had to make the Administrator account/password comply with Requirement 8 of the PCI Standards. Requirement 8 deals with assigning a unique ID to each person with computer access to those systems dealing with cardholder data. Specifically, no generic or shared accounts should be used–especially those that are administrators!

The answer is YES, they must comply with the requirements. What does that mean from an operational standpoint?

We see customers attack this from various angles. For those corporate systems, they are typically just disabling the Administrator account, and putting special alerting in place to see if it is ever used (as in something bad is happening, go deploy the calvary).

In the case that you have a non-directory setup, things become much more painful. You are essentially looking at deploying a password escrow type service where no one person knows the password, only the system does. Passwords would then be checked in and out, and either stored in a secured area (think like a vault) with appropriate logging. Essentially, if someone uses that account, you want to be able to prove which individual used it since the logs will just say “Administrator” or “root.”

More than half of the customers we deal with have directory services deployed to all systems, albeit in many cases multiple directory services. In one case, a customer standardized completely on Active Directory and RACF. All Unix variants pointed back to LDAP via Active Directory.

This post originally appeared on BrandenWilliams.com.

Possibly Related Posts: