PCI DSS FAQ - Payment Card Industry (PCI) Data Security Standard Discussion Forum > Payment Card Industry Data Security Standard Frequently Asked Questions (PCI DSS FAQ) > Implement Strong Access Control Measures > [PCI-DSS] Requirement 8: Assign a unique ID to each person with computer access

1. 8.1 Identify all users with a unique user name before allowing them to access system components or cardholder data.
2. 8.2 In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: * Password * Token devices (for example, SecureID, certificates, or public key) * Biometrics
3. 8.3 Implement two-factor authentication for remote access to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates.
4. 8.4 Encrypt all passwords during transmission and storage on all system components.
5. 8.5 Ensure proper user authentication and password management for non-consumer users and administrators on all system components as follows:
6. 8.5.1 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects
7. 8.5.2 Verify user identity before performing password resets
8. 8.5.3 Set first-time passwords to a unique value for each user and change immediately after the first use
9. 8.5.4 Immediately revoke access for any terminated users
10. 8.5.5 Remove inactive user accounts at least every 90 days
11. 8.5.6 Enable accounts used by vendors for remote maintenance only during the time period needed
12. 8.5.7 Communicate password procedures and policies to all users who have access to cardholder data
13. 8.5.8 Do not use group, shared, or generic accounts and passwords
14. 8.5.9 Change user passwords at least every 90 days
15. 8.5.10 Require a minimum password length of at least seven characters
16. 8.5.11 Use passwords containing both numeric and alphabetic characters
17. 8.5.12 Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used
18. 8.5.13 Limit repeated access attempts by locking out the user ID after not more than six attempts
19. 8.5.14 Set the lockout duration to thirty minutes or until administrator enables the user ID
20. 8.5.15 If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal
21. 8.5.16 Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users

vBulletin® v3.7.4, Copyright ©2000-2009, Jelsoft Enterprises Ltd.