8.1 Assign all users a unique ID before allowing them to access system components
or cardholder data.
8.2 In addition to assigning a unique ID, employ at least one of the following methods
to authenticate all users:
- Password or passphrase
- Two-factor authentication (for example, token devices, smart cards,
biometrics, or public keys)
8.3 Incorporate two-factor authentication for remote access (network-level access
originating from outside the network) to the network by employees, administrators,
and third parties. Use technologies such as remote authentication and dial-in
service (RADIUS); terminal access controller access control system (TACACS)
with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates.
8.4 Render all passwords unreadable during transmission and storage on all system
components using strong cryptography
8.5 Ensure proper user authentication and password management for non-consumer
users and administrators on all system components as follows:
8.5.1Control addition, deletion, and modification of user IDs, credentials, and
other identifier objects.
8.5.2Verify user identity before performing password resets.
8.5.3Set first-time passwords to a unique value for each user and change
immediately after the first use.
8.5.4Immediately revoke access for any terminated users.
8.5.5Remove/disable inactive user accounts at least every 90 days.
8.5.6Enable accounts used by vendors for remote maintenance only during the
time period needed.
8.5.7Communicate password procedures and policies to all users who have
access to cardholder data. Add-on Add-on
8.5.8Do not use group, shared, or generic accounts and passwords.
8.5.9Change user passwords at least every 90 days.
8.5.10Require a minimum password length of at least seven characters.
8.5.11Use passwords containing both numeric and alphabetic characters.
8.5.12Do not allow an individual to submit a new password that is the same as
any of the last four passwords he or she has used.
8.5.13Limit repeated access attempts by locking out the user ID after not more
than six attempts.
8.5.14Set the lockout duration to a minimum of 30 minutes or until administrator
enables the user ID.
8.5.15If a session has been idle for more than 15 minutes, require the user to reenter
the password to re-activate the terminal.
8.5.16Authenticate all access to any database containing cardholder data. This
includes access by applications, administrators, and all other users.
