Greetings-
Forgive me if this post was submitted to the wrong place.
My question/concern is about sharing accounts between multiple users... so the scenario is.. one username/password may be shared by 3 or more people (within reason, of course).
We are just beginning the implementation process and I have a question about User Accounts going forward. We have a central location, and 26 or so historic 'sites' located throughout Minnesota. We have legions of people who work for us that can be categorized as part-time, seasonal, volunteer, intern, etc...
As you can see, maintaining all of these people who come and go at various intervals with a separate, and possibly short-lived username/password, could turn into a nightmare. I'm wondering if anyone knows about any PCI compliance guidelines that can be followed that either reenforce the 'shared login' practice, or strictly prohibit the practice in a system like Tessitura.
Or... if anyone has any advice or tips on the subject, feel free to let me know!
Thanks!
Jason
Minnesota Historical Society
Hi Jason, as per PCI DSS v3.0, Requirement 8: Identify and authenticate access to system components:
“Subsection: 8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows:
- Generic user IDs are disabled or removed.
- Shared user IDs do not exist for system administration and other critical functions.
- Shared and generic user IDs are not used to administer any system components.
Guidance:
If multiple users share the same authentication credentials (for example, user account and password), it becomes impossible to trace system access and activities to an individual. This in turn prevents an entity from assigning accountability for, or having effective logging of, an individual’s actions, since a given action could have been performed by anyone in the group that has knowledge of the authentication credentials.”
Before we started working on PCI we used to share same user login credential (i.e. same User Id and Password) for our Audience Donor Services’ part time staff at the box office. But now we don’t allow it anymore and if part time staff only join for a short period of time still we make sure that they have their separate user name and password. Partly it’s because they handle credit card information which we consider a critical function. So I suggest if they handle credit card info you have separate user name and password for them.
Hope this helps.
Best,
Mo
National Ballet of Canada
Thanks Mohiuddin Faruqe EXACTLY what i was looking for. We are making the commitment to following the importance of PCI Compliance and its guidelines.
The other caveat to this Jason; if you are a RAMP location, I believe every person who is going to use Tessitura needs their own "fish" for the one time password generation and their own unique email address to have a RAMP account. If you aren't RAMP, than this is moot.