8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session

PCI DSS v3.2.1 Questions and Answers Forum Implement Strong Access Control Measures
1

8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.

8.1.8 For a sample of system components, inspect system configuration settings to verify that system/session idle time out features have been set to 15 minutes or less.|When users walk away from an open machine with access to critical system components or cardholder data, that machine may be used by others in the user’s absence, resulting in unauthorized account access and/or misuse.

The re-authentication can be applied either at the system level to protect all sessions running on that machine, or at the application level.|