8.2.1 All users are assigned a unique ID before access to system components or cardholder data is allowed.

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

Customized Approach Objective

All actions by all users are attributable to an individual.

Applicability Notes

This requirement is not intended to apply to user accounts within point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction

Defined Approach Testing Procedures

8.2.1.a Interview responsible personnel to verify that all users are assigned a unique ID for access to system components and cardholder data.

8.2.1.b Examine audit logs and other evidence to verify that access to system components and cardholder data can be uniquely identified and associated with individuals.

Purpose

The ability to trace actions performed on a computer system to an individual establishes accountability and traceability and is fundamental to establishing effective access controls.

By ensuring each user is uniquely identified, instead of using one ID for several employees, an organization can maintain individual responsibility for actions and an effective record in the audit log per employee. In addition, this will assist with issue resolution and containment when misuse or malicious intent occurs.

purpose

Assign all users a unique ID before allowing them to access system components or cardholder data.

compliance strategies

Unique user account creation
No shared accounts

typical policies

User Account Management Policy

common pitfalls

Shared or generic accounts
No user traceability

type

Technical Control

difficulty

Low

key risks

Untraceable activity

recommendations

Automate unique ID assignment in IAM systems

Eligible SAQ

SAQ-A
SAQ-A-EP
SAQ-C
SAQ-C-VT
SAQ-D MERCHANT
SAQ-D SERVICE PROVIDER