| ๐ผ 8.1 Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components. | 8 | | | |
| ย ย ย ย ๐ผ 8.1.1 Assign all users a unique ID before allowing them to access system components or cardholder data. | | 2 | 2 | |
| ย ย ย ย ๐ผ 8.1.2 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects. | | 1 | 1 | |
| ย ย ย ย ๐ผ 8.1.3 Immediately revoke access for any terminated users. | | | | |
| ย ย ย ย ๐ผ 8.1.4 Remove/disable inactive user accounts within 90 days. | | | 1 | |
| ย ย ย ย ๐ผ 8.1.5 Manage IDs used by third parties to access, support, or maintain system components via remote access. | | | | |
| ย ย ย ย ๐ผ 8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts. | | | | |
| ย ย ย ย ๐ผ 8.1.7 Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID. | | | | |
| ย ย ย ย ๐ผ 8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session. | | | | |
| ๐ผ 8.2 In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components. | 6 | | | |
| ย ย ย ย ๐ผ 8.2.1 Using strong cryptography, render all authentication credentials unreadable during transmission and storage on all system components. | | | | |
| ย ย ย ย ๐ผ 8.2.2 Verify user identity before modifying any authentication credential. | | | | |
| ย ย ย ย ๐ผ 8.2.3 Passwords/passphrases must have complexity and strength. | | 1 | 2 | |
| ย ย ย ย ๐ผ 8.2.4 Change user passwords/passphrases at least once every 90 days. | | | 1 | |
| ย ย ย ย ๐ผ 8.2.5 Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used. | | 1 | 2 | |
| ย ย ย ย ๐ผ 8.2.6 Set passwords/passphrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use. | | | | |
| ๐ผ 8.3 Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication. | 2 | | | |
| ย ย ย ย ๐ผ 8.3.1 Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access. | | | 1 | |
| ย ย ย ย ๐ผ 8.3.2 Incorporate multi-factor authentication for all remote network access originating from outside the entity's network. | | | | |
| ๐ผ 8.4 Document and communicate authentication policies and procedures to all users. | | | | |
| ๐ผ 8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods. | 1 | 1 | 1 | |
| ย ย ย ย ๐ผ 8.5.1 Service providers with remote access to customer premises must use a unique authentication credential for each customer. | | | | |
| ๐ผ 8.6 Where other authentication mechanisms are used, use of these mechanisms must be assigned. | | | | |
| ๐ผ 8.7 All access to any database containing cardholder data is restricted. | | | | |
| ๐ผ 8.8 Ensure that security policies and operational procedures for identification and authentication are documented, in use, and known to all affected parties. | | | | |