|
8.6 Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.),
|
|
0
|
52
|
February 14, 2023
|
|
8.5.1 Additional requirement for service providers only: Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential
|
|
0
|
51
|
February 14, 2023
|
|
8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods as follows:
|
|
0
|
61
|
February 14, 2023
|
|
8.4 Document and communicate authentication policies and procedures to all users including:
|
|
0
|
42
|
February 14, 2023
|
|
8.3.2 Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity’s network
|
|
0
|
46
|
February 14, 2023
|
|
8.3.1 Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access
|
|
0
|
79
|
February 14, 2023
|
|
8.3 Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication
|
|
0
|
97
|
February 14, 2023
|
|
8.2.6 Set passwords/passphrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use
|
|
0
|
71
|
February 14, 2023
|
|
8.2.5 Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used
|
|
0
|
74
|
February 14, 2023
|
|
8.2.4 Change user passwords/passphrases at least once every 90 days
|
|
0
|
62
|
February 14, 2023
|
|
8.2.3 Passwords/passphrases must meet the following:
|
|
0
|
66
|
February 14, 2023
|
|
8.2.2 Verify user identity before modifying any authentication credential—for example, performing password resets, provisioning new tokens, or generating new keys
|
|
0
|
47
|
February 14, 2023
|
|
8.2.1 Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components
|
|
0
|
83
|
February 14, 2023
|
|
8.2 In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users:
|
|
0
|
56
|
February 14, 2023
|
|
8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session
|
|
0
|
55
|
February 14, 2023
|
|
8.1.7 Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID
|
|
0
|
48
|
February 14, 2023
|
|
8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts
|
|
0
|
69
|
February 14, 2023
|
|
8.1.5 Manage IDs used by third parties to access, support, or maintain system components via remote access as follows:
|
|
0
|
59
|
February 14, 2023
|
|
8.1.4 Remove/disable inactive user accounts within 90 days
|
|
0
|
107
|
February 14, 2023
|
|
8.1.3 Immediately revoke access for any terminated users
|
|
0
|
109
|
February 14, 2023
|
|
8.1.2 Control addition, deletion, and modification of user IDs, credentials, and other identifier objects
|
|
0
|
122
|
February 14, 2023
|
|
8.1.1 Assign all users a unique ID before allowing them to access system components or cardholder data
|
|
0
|
51
|
February 14, 2023
|
|
8.1 Define and implement policies and procedures to ensure proper user identification management for non- consumer users and administrators on all system components as follows:
|
|
0
|
46
|
February 14, 2023
|
|
Requirement 8: Identify and authenticate access to system components
|
|
0
|
91
|
February 14, 2023
|
|
7.3 Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties
|
|
0
|
67
|
February 14, 2023
|
|
7.2.3 Default “deny-all” setting
|
|
0
|
66
|
February 14, 2023
|
|
7.2.2 Assignment of privileges to individuals based on job classification and function
|
|
0
|
65
|
February 14, 2023
|
|
7.2.1 Coverage of all system components
|
|
0
|
45
|
February 14, 2023
|
|
7.2 Establish an access control system(s) for systems components that restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed
|
|
0
|
51
|
February 14, 2023
|
|
7.1.4 Require documented approval by authorized parties specifying required privileges
|
|
0
|
45
|
February 14, 2023
|