3.1 The “out of the box” installation of the payment application in place at the completion of the installation process, must facilitate use of unique usernames and secure authentication (defined at PCI DSS Requirements 8.1, 8.2, and 8.5.8-8.5.15) for all administrative access and for all access to cardholder data.
PCI Data Security Standard Requirements 8.1, 8.2, and 8.5.8-8.5.15
Note: These password controls are not intended to apply to employees who only have access to one card number at a time to facilitate a single transaction. These controls are applicable for access by employees with administrative capabilities, for access to servers with cardholder data, and for access controlled by the payment application. This requirement applies to the payment application and all associated tools used to view or access cardholder data.
Testing Procedures:
3.1.a Test the payment application to verify that unique usernames and secure authentication are required for all administrative access and for all access to cardholder data, in accordance with PCI DSS Requirements 8.1, 8.2, and 8.5.8-8.5.15.
3.1.b Test the payment application to verify the payment application does not use (or require the use of) default administrative accounts for other necessary software (e.g., the payment application must not use the administrative account for database software).
3.1.c Examine PA-DSS Implementation Guide created by vendor to verify the following:
[ul]
[li] Customers and resellers/integrators are advised against using default administrative accounts for payment application logins (e.g., don’t use the “sa” account for payment application access to the database).[/li][li] Customers and resellers/integrators are advised to assign secure authentication to these default accounts (even if they won’t be used), and then disable or do not use the accounts.[/li][li] Customers and resellers/integrators are advised to assign secure authentication for payment applications and systems whenever possible.[/li][li] Customers and resellers/integrators are advised how to create PCI DSS-compliant secure authentication to access the payment application, per PCI DSS Requirements 8.5.8 through 8.5.15[/li][li] Customers and resellers/integrators are advised that changing “out of the box” installation settings for unique usernames and secure authentication will result in non-compliance with PCI DSS.[/li][/ul]