|
8.6 Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.),
|
|
0
|
81
|
February 14, 2023
|
|
8.5.1 Additional requirement for service providers only: Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential
|
|
0
|
91
|
February 14, 2023
|
|
8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows:
|
|
0
|
99
|
February 14, 2023
|
|
8.4 Document and communicate authentication policies and procedures to all users including:
|
|
0
|
79
|
February 14, 2023
|
|
8.3.2 Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity’s network
|
|
0
|
102
|
February 14, 2023
|
|
8.3.1 Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access
|
|
0
|
130
|
February 14, 2023
|
|
8.3 Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication
|
|
0
|
141
|
February 14, 2023
|
|
8.2.6 Set passwords/passphrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use
|
|
0
|
126
|
February 14, 2023
|
|
8.2.5 Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used
|
|
0
|
132
|
February 14, 2023
|
|
8.2.4 Change user passwords/passphrases at least once every 90 days
|
|
0
|
93
|
February 14, 2023
|
|
8.2.3 Passwords/passphrases must meet the following:
|
|
0
|
104
|
February 14, 2023
|
|
8.2.2 Verify user identity before modifying any authentication credential—for example, performing password resets, provisioning new tokens, or generating new keys
|
|
0
|
67
|
February 14, 2023
|
|
8.2.1 Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components
|
|
0
|
185
|
February 14, 2023
|
|
8.2 In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users:
|
|
0
|
80
|
February 14, 2023
|
|
8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session
|
|
0
|
117
|
February 14, 2023
|
|
8.1.7 Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID
|
|
0
|
87
|
February 14, 2023
|
|
8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts
|
|
0
|
116
|
February 14, 2023
|
|
8.1.5 Manage IDs used by third parties to access, support, or maintain system components via remote access as follows:
|
|
0
|
85
|
February 14, 2023
|
|
8.1.4 Remove/disable inactive user accounts within 90 days
|
|
0
|
444
|
February 14, 2023
|
|
8.1.3 Immediately revoke access for any terminated users
|
|
0
|
146
|
February 14, 2023
|
|
8.1.2 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects
|
|
0
|
163
|
February 14, 2023
|
|
8.1.1 Assign all users a unique ID before allowing them to access system components or cardholder data
|
|
0
|
78
|
February 14, 2023
|
|
8.1 Define and implement policies and procedures to ensure proper user identification management for non- consumer users and administrators on all system components as follows:
|
|
0
|
67
|
February 14, 2023
|
|
Requirement 8: Identify and authenticate access to system components
|
|
0
|
147
|
February 14, 2023
|
|
7.3 Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties
|
|
0
|
101
|
February 14, 2023
|
|
7.2.3 Default “deny-all” setting
|
|
0
|
99
|
February 14, 2023
|
|
7.2.2 Assignment of privileges to individuals based on job classification and function
|
|
0
|
85
|
February 14, 2023
|
|
7.2.1 Coverage of all system components
|
|
0
|
68
|
February 14, 2023
|
|
7.2 Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed
|
|
0
|
82
|
February 14, 2023
|
|
7.1.4 Require documented approval by authorized parties specifying required privileges
|
|
0
|
64
|
February 14, 2023
|