8.6 Use of application and system accounts and associated authentication factors is strictly managed.

This requirement focuses on the strict management of application and system accounts and their associated authentication factors, ensuring proper controls for interactive login, password protection, and secure handling of credentials used by automated processes and applications.

Sub-requirements:

8.6.1 If accounts used by systems or applications can be used for interactive login, they are managed as follows:
8.6.2 Passwords/passphrases for any application and system accounts that can be used for interactive login
8.6.3 Passwords/passphrases for any application and system accounts are protected against misuse

8.6. Authentication for system accounts is managed securely.

Ensure system account credentials are managed, changed from defaults, and unnecessary accounts are disabled or removed.

https://WithPCI.com

Sub-requirements

Test Points

Low-Moderate (1.7)

Implementation Difficulty

Control Types

Technical

Technical: 3

Key Risks

Default or unused system accounts

Unchanged default passwords

Unauthorized system access

Frequently Asked Questions

What is required for system account management?

All default passwords must be changed, and unnecessary accounts must be disabled or removed.

How are system accounts reviewed?

Through periodic audits and automated monitoring.

What are the risks of leaving default accounts enabled?

They can be exploited by attackers using well-known credentials.

How often should system accounts be reviewed?

At least annually, or after significant system changes.

How are changes to system accounts documented?

Through change management records and audit logs.

Common QSA Questions

Can you show evidence that default system accounts are changed or disabled?

Yes, we maintain audit logs and configuration records for all system accounts.

How are unnecessary system accounts identified and removed?

We conduct regular reviews and use automated tools to detect and disable unused accounts.

How do you ensure system account credentials are not left at vendor defaults?

We enforce policies and automated checks during system provisioning and maintenance.

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy

Please enable JavaScript to view the comments powered by Disqus.Alternatively, you can view comments at our Disqus forum.