Frequently Asked Question

PCI Requirement 8 - Identify Users and Authenticate Access to System Components

8.2 - User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle.

All users depending upon part of the system or software should;

> Have a unique ID

Groups or shared users should;

> Used for necessary and exceptional basis,

> Individual user is identified before access is granted and action taken is attributable to an individual user.

Terminated users

> Access is immediately revoked.

8.3 Strong authentication for users and administrators is established and managed.

Authentication by using at least one of the following;

- Password / Password Phrase

• New User - Unique password for first time use and forced to change upon the user login
• All Users - Upon resetting a password where the user is not able to, a unique password should be set and forced to change upon the user login

• Minimum length should be 12 characters, containing numeric, alphabetic and symbols.
• Upon password change or reset, the password should not be the same as any of the last 4 passwords
• Regularly changed once every 90 days

- Device Token

- Biometrics

However it is recommended to use 2-Factor or Multi-Factor Authentication which uses a combination of the above.

For Example; Authenticating using a Password and then using a 6 or 8 digit token that was emailed or presented in an authentication app, such as Google Authenticator.