|
|
#1
10-12-2009, 11:22 AM
|
|||
|
|||
Payment Application Authentication
I have a payment application that is being prepared for Pa-Dss and have many questions, but one specific now.
Are the Pa-Dss requirements in line with the Pci-Dss requirements for password changes, length, re-using paswords, lockouts, etc.. (8.5.9 - 8.5.15) I can see having these strict controls for networks and servers, but in my case there is no "administrative access" to cardholder data allowed by the payment application. Thanks for any help. 
|
|
#2
10-12-2009, 02:34 PM
|
||||
|
||||
|
Yes, the PA-DSS's password management requirements are aligned with the PCI DSS requirements.
That said, they only really apply at the PA-DSS level if the application is managing the authentication process. If you rely on Active Directory, RADIUS or some other outside authentication process, then you are off the hook. However, you need to document in the implementation guide that the outside directory needs to comply with the PCI DSS requirements.
__________________
Jeff Hall, Director, Risk Advisory Services RSM McGladrey Inc 801 Nicollet Mall, 11th Floor, West Tower Minneapolis, MN 55402-2526 612 376 9280 - office 612 395 7280 - facsimile www.mcgladrey.com The views presented are those of the writer and are not necessarily those of RSM McGladrey Inc
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
