PCI compliance - Acceptability of Shared User Accounts

Hi Jason,

First and foremost, I'm so excited that Split Rock Lighthouse will be part of The Network. I'm originally from Superior, WI and drove up the North Shore a lot in my life.

As for shared login credentials, I would suggest you stay away from this. By doing so, you remove a valuable layer when it comes to auditing work (like if someone made a mistake or if someone gets compliments from a patron). With shared login, you'd have to know who was working that day and if, let's saw, all three people who share that login are working that day, you'd never know who did what work.

What I would suggest you do is give one key person at each of your satellite locations access to Security and teach them how to create new users and inactivate those user accounts once they no longer are part of Minnesota Historical Society as a staff member. You could make this process be part of the on-boarding of new staff. I would imagine PCI compliance requires a unique login for each user (especially if they will be processing credit cards in Tessitura). Without that unique login, you have no way to definitively know who did the work in Tessitura.

In my experience, and I've worked with a few different Tessitura using organizations, I've never seen shared login credentials.

Great to hear about Spitrock!

Yeah... audit trail was obviously a big concern of ours that i forgot to touch on. Great advice and thanks much for the tips! We were thinking along just these lines but wanted to make sure that a short-cut wasn't the best approach in this case.

Take care.

Hi Jason, as per PCI DSS v3.0, Requirement 8: Identify and authenticate access to system components:

“Subsection: 8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows:

- Generic user IDs are disabled or removed.

- Shared user IDs do not exist for system administration and other critical functions.

- Shared and generic user IDs are not used to administer any system components.

Guidance:

If multiple users share the same authentication credentials (for example, user account and password), it becomes impossible to trace system access and activities to an individual. This in turn prevents an entity from assigning accountability for, or having effective logging of, an individual’s actions, since a given action could have been performed by anyone in the group that has knowledge of the authentication credentials.”

Before we started working on PCI we used to share same user login credential (i.e. same User Id and Password) for our Audience Donor Services’ part time staff at the box office. But now we don’t allow it anymore and if part time staff only join for a short period of time still we make sure that they have their separate user name and password.  Partly it’s because they handle credit card information which we consider a critical function. So I suggest if they handle credit card info you have separate user name and password for them.

Hope this helps.

Best,

Mo

National Ballet of Canada

Hey Jason,

You would not be in compliance with shared passwords and users.  This is strictly forbidden in PCI.

Susan

Thanks Mohiuddin Faruqe EXACTLY what i was looking for. We are making the commitment to following the importance of PCI Compliance and its guidelines.

The other caveat to this Jason; if you are a RAMP location, I believe every person who is going to use Tessitura needs their own "fish" for the one time password generation and their own unique email address to have a RAMP account. If you aren't RAMP, than this is moot.