PCI 8:

From HORSE - Holistic Operational Readiness Security Evaluation.
Revision as of 15:27, 1 March 2007 by Mdpeters (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Requirement 8: Assign a unique ID to each person with computer access.


  • This ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.




PCI-8.1 Identify all users with a unique username before allowing them to access system components or cardholder data.




PCI-8.2 Employ at least one of the methods below, in addition to unique identification, to authenticate all users:


  • Password Token devices (e.g., SecureID, certificates, or public key).
  • Biometrics.




PCI-8.4 Encrypt all passwords during transmission and storage, on all system components.




PCI-8.5 Ensure proper user authentication and password management for non-consumer users and administrators, on all system components:


PCI-8.5.1 Control the addition, deletion, and modification of user IDs, credentials, and other identifier objects.


PCI-8.5.2 Verify user identity before performing password resets.


PCI-8.5.3 Set first-time passwords to a unique value per user and change immediately after first use.


PCI-8.5.4 Immediately revoke accesses of terminated users.


PCI-8.5.5 Remove inactive user accounts at least every 90 days.


PCI-8.5.6 Enable accounts used by vendors for remote maintenance only during the time needed.


PCI-8.5.7 Distribute password procedures and policies to all users who have access to cardholder information.


PCI-8.5.8 Do not use group, shared, or generic accounts/passwords.


PCI-8.5.9 Change user passwords at least every 90 days.


PCI-8.5.10 Require a minimum password length of at least seven characters.


PCI-8.5.11 Use passwords containing both numeric and alphabetic characters.


PCI-8.5.12 Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used.


PCI-8.5.13 Limit repeated access attempts by locking out the user ID after not more than six attempts.


PCI-8.5.14 Set the lockout duration to thirty minutes or until administrator enables the user ID.


PCI-8.5.15 If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal.


PCI-8.5.16 Authenticate all access to any database containing cardholder information. This includes access by applications, administrators, and all other users.



--Mdpeters 12:57, 7 July 2006 (EDT)