Although using PCI Proxy's Show API reduces your PCI DSS scope, it does not completely eliminate it. To safely use it in a PCI compliant way, you have several responsibilities that you need to be aware of.
As the Show API displays sensitive cardholder data, it should only be used for end users.
For example, these end users may be your customers. If you use the Show API internally within your organization, it will extend your PCI scope.
The Show API does not afford any user authentication, nor does it interact with your authentication mechanism with PCI Proxy. It is therefore extremely important that your backend application manages user authentication and ensures that when data is displayed in your application:
- your application provides a login method
- the Show feature is protected with Multi Factor Authentication
- the user requesting to see card data is authenticated and is allowed to see the card information that is being requested.
The above requirements are mandatory and will be checked by our team before granting access to the Show API.
Every single user who has access to the Show API needs to have a unique user login which can be clearly identified. Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for their actions. When such accountability is in place, actions taken on critical data and systems can be traced to known authorized users and processes.
Shared user logins are not allowed.
The effectiveness of a password is largely determined by the design and implementation of the authentication system. For example, how frequently password attempts can be made by an attacker, or the security methods to protect user passwords at the point of entry, during transmission, and while in storage. In general, the following minimum password rules have to be observed:
- Users are required to change their passwords every 90 days.
- The password must have a minimum length of 7 characters.
- The password must contain upper and lower case letters, number and at least one special character.
- When changing passwords, none of the last four passwords can be used.
- Vendor-supplied defaults are not allowed.
- When passwords are generated for the user, the password must be unique to each user and changed after the first use.
- After 6 failed login attempts, a user account is locked. It can only be unlocked by the administrator.
- After 15 minutes of inactivity, the password must be entered to reactivate the terminal or session.
- The maximum time after which the user must log in again must not exceed 200 minutes.
For more details on PCI DSS user management, refer to Requirement 8 of the PCI DSS standard.
Updated 2 months ago