iWay Service Manager Security Guide > Implementation for PCI Security Standards > Implement Strong Access Control Measures

Implement Strong Access Control Measures

Topics:

The following are recommendations and information for the Implement Strong Access Control Measures requirements.

Requirement 7: Restrict access to cardholder data by business need to know

Recommendations and Information for Requirement 7

  • iWay Service Manager is a transactional system which does not store the data for external user access, unless the application has been specifically developed to do so.
  • iWay Service Manager can be used to host externally-facing applications and web components providing external data access. For instance, such applications can be hosted on the iSM HTTP channel, which has full support for user specific access, as well as integration with external user management systems such as AD/LDAP, and other access-based facilities. In this instance, the application providing data access would be responsible for handling the authorization to specific data content, based on the received user token.
  • iWay Service Manager monitoring and management facilities provide for the full Access Control List support and integration with external systems, such as AD/LDAP.

Recommendations and Information for Requirement 7.1

  • User access should be established to provide specific access rights to the application development and deployment. Use of Source Management Systems, for example, SVN, is critical to ensuring that certain developers have access to the designated application and application areas. Developer roles should be limited to deployment of applications into the development environment only.
  • Roles for application promotion between environments, such as DEV to QA or QA to PROD, should be established and access granted to only certain users. This can be done by creating roles and users for the iWay Service Manager Administration Console (used for application management) or by utilizing integration of the iSM Administration Console with external role/user management systems, such as AD/LDAP.
  • The iWay SDK product can also be used to integrate the application promotion life cycle into the existing operations, if such is already in place. iWay SDK provides for an ANT/Maven-based approach for managing applications as part of the integrated process into the existing build infrastructure, which may already have a set of established users with corresponding roles.

Requirement 8: Identify and authenticate access to system components

Recommendations and Information for Requirement 8

  • The iWay Service Manager Administrative Console can utilize a natively created role/user based management system or integrate with the external role/user management systems, such as AD/LDAP.
  • Development environment access is covered by utilization of the Source Management Systems with proper user access management.
  • All passwords created and stored within iWay Service Manager are encrypted.
  • Additional information for Console Security management is available in this manual.
  • iWay Service Manager is a transactional system designed for creation of transactional applications for data processing. Any application written for external consumers and requiring internal data access is responsible for implementing security requirements for sensitive data protection, user access, session management, and other relevant requirements.

Requirement 9: Restrict physical access to cardholder data

Requirements are not applicable to iWay Integration Products.