Compliance and standards
Compliance with PCI-DSS
Thales’s STA service can be leveraged by customers looking to comply with PCI-DSS to provide a strong and reliable authentication method to systems containing or processing card payment data.
Below are highlighted a number of key requirements for PCI-DSS that need to be met to obtain compliance that can be achieved using STA. However, action is required by an administrator during the simple configuration process to enable the required functionality.
Thales recommends the implementation of built-in system policies to protect customer login credentials from brute force attack methods. For customers leveraging STA for use with PCI-DSS compliance, it is recommended that the STA Server policy be configured for the Account Lockout/Unlock Policy to enforce that no more than six attempts can be made to access an account with incorrect credentials before that account is disabled. See Account lockout and unlock policies.
Thales recommends the use of a PIN in conjunction with a token policy of
at least six digits to provide strong multi-factor authentication for
your users. When customers look to leverage STA to comply with PCI DSS,
it is recommended that a “Server-Side” PIN be selected for the token and
the associated complexity for this PIN be alphanumeric.
For customers looking to not leverage a PIN, we recommend that the token template for your specific token be updated prior to deployment to at minimum a seven character OTP which is alphanumeric in its display. See Configure server-side PINs and Token templates.
Thales recommends to never use a static password where a One Time Password (OTP) is available. When leveraging STA for PCI-DSS compliance customers must implement at least a periodically changing password and notify the user under what circumstances this must be changed (for example, every X days). The simplest way to comply with this action is to leverage an OTP which automatically changes the passcode at every login attempt. It is also recommended that the Temporary Password Policy be configured to force a change of Temporary passwords to maintain compliance for any non-OTP users. See Temporary password policy.
Thales recommends to never use a static password where a One Time Password (OTP) is available. For customers whom wish to leverage STA to comply with PCI-DSS, it is recommended that temporary passwords be disabled within the system to enforce an OTP-based authentication. See Temporary password policy.