Requirement 8: Identify and authenticate access to system components.

All users should have unique user IDs for logging into systems. In other words, there should be no shared user accounts. This is a critical part of establishing audit trails with individual accountability. Inactive user accounts should be disabled within 90 days, and user accounts for terminated users should be disabled (or deleted) immediately. User accounts should be locked out after no more than six failed login attempts, and the automated lockout should last for at least 30 minutes unless an administrator enables the account.

If any login session is idle for more than 15 minutes, the user must be required to re-authenticate to access to the system.

In addition to a username, each user must provide at least one of the following during authentication:

• A complex password that is at least 7 digits long (something you know)
• A smartcard or other hardware authentication device (something you have)
• Biometric authentication such as a fingerprint or retina scan (something you are)

For administrative access, users must provide at least two of the three above items for non-console access to systems (such as SSH access from another server at the same location.) Also, all remote users (administrative or non-administrative, accessing the CDE from an outside network) must provide two of the above items for authentication.

Passwords are required to be changed every 90 days, and users should not be allowed to repeat any of the last four passwords used.

If passwords are assigned, each user must be given a unique password and the user must be required to change their password immediately after the first use.

For any database that contains cardholder data, only database administrators must have direct access to query the database. Other users must use programs and applications that perform only the database queries necessary for the user’s job function.

Go on to Requirement 9 - Physical Access.

Go back to Requirement 7 - Restricting Access.