8.2 User identification and related accounts for users and administrators are strictly managed throughout an account's lifecycle.
This requirement focuses on ensuring that user identities and accounts are properly managed throughout their lifecycle, including creation, modification, and deletion, to maintain accountability and security of system access.
Sub-requirements:
- 8.2.1 All users are assigned a unique ID before access to system components or cardholder data is allowed.
- 8.2.2 Group, shared, or generic IDs, or other shared authentication credentials are only used when necessary on an exception basis, and are managed as follows:
- 8.2.3 Additional requirement for service providers only: Service providers with remote access to customer premises use unique authentication factors for each customer premises.
- 8.2.4 Addition, deletion, and modification of user IDs, authentication factors, and other identifier objects are managed as follows:
- 8.2.5 Access for terminated users is immediately revoked.
- 8.2.6 Inactive user accounts are removed or disabled within 90 days of inactivity.
- 8.2.7 Accounts used by third parties to access, support, or maintain system components via remote access are managed as follows:
- 8.2.8 If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session.
8.2. User identification and authentication controls are implemented.
Ensure all users are uniquely identified and authenticated before accessing system components or cardholder data.
Key Risks
Frequently Asked Questions
Why is unique user identification important?
It ensures accountability and traceability for all actions taken on systems and data.
How should user accounts be managed?
Through unique IDs, timely revocation for terminated users, periodic access reviews, and strong authentication methods.
What controls are required for temporary or contractor accounts?
They must have defined expiration dates and be disabled or removed when no longer needed.
How often should user access be reviewed?
At least every six months, or after significant changes in user roles.
What are the risks of not managing user IDs properly?
Untraceable activity, unauthorized access, and increased risk of breaches.
Common QSA Questions
Can you show evidence of unique user IDs and access reviews?
Yes, we maintain logs and documentation for all user accounts and periodic access reviews.
How do you handle account revocation for terminated users?
We have automated deprovisioning tied to HR processes for immediate account disablement.
How are temporary or contractor accounts managed?
They are created with expiration dates and reviewed regularly to ensure timely removal.
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy