Requirement 8: Assign a unique ID to each person with computer access
Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.
8.1 Identify all users with a unique user name before allowing them to access system components or cardholder data.
8.2 In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users:
- Password
- Token devices (e.g., SecureID, certificates, or public key)
- Biometrics.
8.3 Implement two-factor authentication for remote access to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates.
8.4 Encrypt all passwords during transmission and storage on all system components.
8.5 Ensure proper user authentication and password management for non-consumer users and administrators on all system components as follows:
8.5.1 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects
8.5.2 Verify user identity before performing password resets
8.5.3 Set first-time passwords to a unique value for each user and change immediately after the first use
8.5.4 Immediately revoke access for any terminated users
8.5.5 Remove inactive user accounts at least every 90 days
8.5.6 Enable accounts used by vendors for remote maintenance only during the time period needed
8.5.7 Communicate password procedures and policies to all users who have access to cardholder data
8.5.8 Do not use group, shared, or generic accounts and passwords
8.5.9 Change user passwords at least every 90 days
8.5.10 Require a minimum password length of at least seven characters
8.5.11 Use passwords containing both numeric and alphabetic characters
8.5.12 Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used
8.5.13 Limit repeated access attempts by locking out the user ID after not more than six attempts
8.5.14 Set the lockout duration to thirty minutes or until administrator enables the user ID
8.5.15 If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal
8.5.16 Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users