21. PCI DSSΒΆ

The Payment Card Industry Data Security Standard is a policy framework that defines necessary requirements when dealing with credit card information. It defines a rule set divided into twelve main subjects. LinOTP helps to fulfill the following requirements of PCI DSS v2.0.

Requirement

Requirement text

LinOTP actions

8.3

Incorporate two-factor authentication for remote access to the network by employees, administrators and third parties.

LinOTP provides a two factor authentication based on one time passwords with hardware tokens.

8.4

Render all passwords unreadable during transmission and storage on all system components using strong cryptography.

Sensible data like OTP secrets and passwords are stored in a hashed or encrypted way.

10.1

Establish a process for linking all access to system components to each individual user.

Using LinOTP you can identify each user by two factors.

10.2

Implement automated audit trails for all system components to reconstruct the following events:

LinOTP provides a sophisticated audit trail, that can tell which user authenticated under which condition and which administrator performed which task on a certain token.

10.2.1

All individual accesses to cardholder data

If the access to cardholder data is protected by LinOTP authentication, this will be logged within the audit trail.

10.2.2

All actions taken by any individual with root or administrative privileges

All actions by LinOTP administrators are logged in the audit trail.

10.2.3

Access to all audit trails

The access to the audit trail via the LinOTP API is logged in the audit trail. Direct access to the database must be audited in another way by the database system.

10.2.4

Invalid logical access attempts

All LinOTP authentication requests are logged in the audit trail.

10.2.5

Use of identification and authentication mechanisms

All LinOTP authentication requests (successful and failed) are logged in the audit trail.

10.2.6

Initialization of the audit logs

The LinOTP SQL Audit Trail gets only initialized when the sequence number is set to 1.

10.3

Record at least the following audit trail entries for all system components for each event

LinOTP Audit Trail can store several different information

10.3.1

User Identification

When a user is authenticating, the username or the administrator name is logged

10.3.2

Type of event

The LinOTP action is logged

10.3.3

Date and time

A timestamp is logged

10.3.4

Success of failure indication

The success status of the event is logged

10.3.5

Origination of event

The name of the LinOTP server, where the action was performed is logged

10.3.6

Identity or name of affected data, system component or resource

Depending on the action additional information is logged

10.4 10.4.1 10.4.2 10.4.3

Using time synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distribution and storing time: Critical systems have the correct and consistent time Time data protected Time settings are received from industry-accepted time sources

The LinOTP server uses NTP. The timestamps for the audit trail are generated on the LinOTP server and not on the database server.

10.5

Secure audit trails so the cannot be altered.

The LinOTP audit trail entries get digitally signed.

10.5.1

Limit viewing of audit trails to those with a job-related need.

The access to the audit trail can be restricted by defining access policies.

10.5.2

Protect audit trails from unauthorized modifications.

The LinOTP audit trail entries are digitally signed.

10.5.3

Promptly back up audit trail files to a centralized log server or media that is difficult to alter.

Audit trail can be written to an SQL database server.

10.5.4

Write logs for external-facing technologies onto a log server on the internal LAN.

Can be configured by using another, internal database server

10.5.5

Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).

N/A