| ๐ผ 8.1 Processes and mechanisms for identifying users and authenticating access to system components are defined and understood. | 2 | | | |
| ย ย ย ย ๐ผ 8.1.1 All security policies and operational procedures identified in Requirement 8 are documented, kept up to date, in use, and known to all affected parties. | | | | |
| ย ย ย ย ๐ผ 8.1.2 Roles and responsibilities for performing activities in Requirement 8 are documented, assigned, and understood. | | | | |
| ๐ผ 8.2 User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle. | 8 | | | |
| ย ย ย ย ๐ผ 8.2.1 All users are assigned a unique ID before access to system components or cardholder data is allowed. | | | 2 | |
| ย ย ย ย ๐ผ 8.2.2 Group, shared, or generic accounts, or other shared authentication credentials are only used when necessary on an exception basis. | | | 1 | |
| ย ย ย ย ๐ผ 8.2.3 Service providers with remote access to customer premises use unique authentication factors for each customer premises. | | | | |
| ย ย ย ย ๐ผ 8.2.4 Addition, deletion, and modification of user IDs, authentication factors, and other identifier objects are managed. | | | 1 | |
| ย ย ย ย ๐ผ 8.2.5 Access for terminated users is immediately revoked. | | | | |
| ย ย ย ย ๐ผ 8.2.6 Inactive user accounts are removed or disabled within 90 days of inactivity. | | | 1 | |
| ย ย ย ย ๐ผ 8.2.7 Accounts used by third parties to access, support, or maintain system components via remote access are managed. | | | | |
| ย ย ย ย ๐ผ 8.2.8 If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session. | | | | |
| ๐ผ 8.3 Strong authentication for users and administrators is established and managed. | 11 | | | |
| ย ย �ย ย ๐ผ 8.3.1 All user access to system components for users and administrators is authenticated. | | | | |
| ย ย ย ย ๐ผ 8.3.2 Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components. | | | | |
| ย ย ย ย ๐ผ 8.3.3 User identity is verified before modifying any authentication factor. | | | | |
| ย ย ย ย ๐ผ 8.3.4 Invalid authentication attempts are limited. | | | | |
| ย ย ย ย ๐ผ 8.3.5 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they are set and reset for each user. | | | | |
| ย ย ย ย ๐ผ 8.3.6 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the minimum level of complexity. | | | 2 | |
| ย ย ย ย ๐ผ 8.3.7 Individuals are not allowed to submit a new password/passphrase that is the same as any of the last four passwords/passphrases used. | | | 2 | |
| ย ย ย ย ๐ผ 8.3.8 Authentication policies and procedures are documented and communicated to all users. | | | | |
| ย ย ย ย ๐ผ 8.3.9 If passwords/passphrases are used as the only authentication factor for user access then either passwords/passphrases are changed at least once every 90 days, or the security posture of accounts is dynamically analyzed. | | | 1 | |
| ย ย ย ย ๐ผ 8.3.10 If passwords/passphrases are used as the only authentication factor for customer user access to cardholder data, then guidance is provided to customer users. | 1 | | 1 | |
| ย ย ย ย ย ย ย ย ๐ผ 8.3.10.1 If passwords/passphrases are used as the only authentication factor for customer user access then either passwords/passphrases are changed at least once every 90 days, or the security posture of accounts is dynamically analyzed. | | | | |
| ย ย ย ย ๐ผ 8.3.11 Where authentication factors such as physical or logical security tokens, smart cards, or certificates are used factors are assigned to an individual user and not shared among multiple users, and physical and/or logical controls ensure only the intended user can use that factor to gain access. | | | | |
| ๐ผ 8.4 Multi-factor authentication (MFA) is implemented to secure access into the CDE. | 3 | | | |
| ย ย ย ย ๐ผ 8.4.1 MFA is implemented for all non-console access into the CDE for personnel with administrative access. | | | 1 | |
| ย ย ย ย ๐ผ 8.4.2 MFA is implemented for all access into the CDE. | | | 2 | |
| ย ย ย ย ๐ผ 8.4.3 MFA is implemented for all remote network access originating from outside the entity's network that could access or impact the CDE. | | | | |
| ๐ผ 8.5 Multi-factor authentication (MFA) systems are configured to prevent misuse. | 1 | | | |
| ย ย ย ย ๐ผ 8.5.1 MFA systems are implemented. | | | | |
| ๐ผ 8.6 Use of application and system accounts and associated authentication factors is strictly managed. | 3 | | | |
| ย ย ย ย ๐ผ 8.6.1 If accounts used by systems or applications can be used for interactive login, they are managed. | | | | |
| ย ย ย ย ๐ผ 8.6.2 Passwords/passphrases for any application and system accounts that can be used for interactive login are not hard coded in scripts, configuration/property files, or bespoke and custom source code. | | | | |
| ย ย ย ย ๐ผ 8.6.3 Passwords/passphrases for any application and system accounts are protected against misuse. | | | 1 | |