| ๐ผ 8.3.1 All user access to system components for users and administrators is authenticated. | | | | |
| ๐ผ 8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components. | | | | |
| ๐ผ 8.3.3 User identity is verified before modifying any authentication factor. | | | | |
| ๐ผ 8.3.4 Invalid authentication attempts are limited. | | | | |
| ๐ผ 8.3.5 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they are set and reset for each user. | | | | |
| ๐ผ 8.3.6 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the minimum level of complexity. | | | 2 | |
| ๐ผ 8.3.7 Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used. | | | 2 | |
| ๐ผ 8.3.8 Authentication policies and procedures are documented and communicated to all users. | | | | |
| ๐ผ 8.3.9 If passwords/passphrases are used as the only authentication factor for user access then either passwords/passphrases are changed at least once every 90 days, or the security posture of accounts is dynamically analyzed. | | | 1 | |
| ๐ผ 8.3.10 If passwords/passphrases are used as the only authentication factor for customer user access to cardholder data, then guidance is provided to customer users. | 1 | | 1 | |
| ย ย ย ย ๐ผ 8.3.10.1 If passwords/passphrases are used as the only authentication factor for customer user access then either passwords/passphrases are changed at least once every 90 days, or the security posture of accounts is dynamically analyzed. | | | | |
| ๐ผ 8.3.11 Where authentication factors such as physical or logical security tokens, smart cards, or certificates are used factors are assigned to an individual user and not shared among multiple users, and physical and/or logical controls ensure only the intended user can use that factor to gain access. | | | | |