|
Integrator Notes
By default Singlefront will require strong passwords and applies the proper policies when it comes to locking out invalid logins, password rotation, and password retrieval. In addition you must create unique user names and complex passwords in your server and database environment.
When creating user names and passwords on your database or server use the following best practices:
| • | Do not use group, shared, or generic accounts and passwords |
| • | Change user passwords at least every 90 days |
| • | Require a minimum password length of at least seven characters |
| • | Use passwords containing both numeric and alphabetic characters |
| • | Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used |
| • | Limit repeated access attempts by locking out the user ID after not more than six attempts |
| • | Set the lockout duration to thirty minutes or until administrator enables the user ID |
| • | If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal |
| • | Assign secure authentication to default accounts even if they won’t be used. Disable or do not use these accounts. |
If you allow remote access to your servers or web application, per PCI-DSS 8.3 you must implement a two factor authentication method. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates.
Additionally the following best practices should be observed when permitting access to the payment application environment:
| • | Change default settings in the remote access software (for example, change default passwords and use unique passwords for each customer). |
| • | Allow connections only from specific (known) IP/MAC addresses |
| • | Use strong authentication and complex passwords for logins, according to PCI-DSS Requirements 8.1, 8.3 and 8.5.8-8.5.15. |
| • | Enable encrypted data transmission according to PCI-DSS Requirement 4.1. |
| • | Enable account lockout after a certain number of failed login attempts according to PCI-DSS 8.5.13 |
| • | Configure the system so a remote user must establish a VPN connection via a firewall before access is allowed. |
| • | Enable the logging function |
| • | Restrict access to customer passwords to authorized personnel |
| • | Establish passwords according to PCI-DSS Requirements 8.1, 8.2, 8.4 and 8.5 |
In Singlefront you should also follow these practices:
| • | Each user of the Singlefront Admin should have their own login ID. Do not use group or shared accounts and passwords. |
| • | Do not use system administrative logins and passwords for Singlefront. |
| • | The ZnodeActivityLog table in the database will log user login attempts (as well as other activities). |
Configuration Notes
| • | There is a setting in the “membership” section of the web.config that controls password strength and number of attempts before locking out the user. Modifying the behavior of the login mechanism of Singlefront may invalidate the PABP certification. |
| • | Use secure passwords with at least seven characters and both numeric and alphabetic characters in your database connection string in the web.config. Do not use default logins in your connection string. |
| • | Changing the default user access constraints for secure access will result in non-compliance with PCI-DSS. |
|