Blog

PCI Requirement 8.1.8 – Require Re-Authentication After 15 Minutes of Inactivity

by Randy Bartels / December 20, 2022

Inactive Sessions I’m sure you’ve witnessed or heard about situations where someone gets up from their workstation, but their session doesn’t log out. Inevitably, someone else uses their workstation to send an embarrassing or prank email on their behalf. But, what if it wasn’t something funny or embarrassing? What if a malicious user used your workstation and gained access to cardholder data? When users walk away from an open machine…

PCI Requirement 8.1.7 – Set Lockout Duration to a Minimum of 30 Minutes

by Randy Bartels / December 19, 2022

Account Lockout Duration Once a user account is locked out after six log-in attempts, that account must remain locked. PCI Requirement 8.1.7 states, “Set lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.” Complying with PCI Requirement 8.1.7 can delay and prevent a malicious individual from attempting to continually guess a password. If your organization decides that reactivation must be requested to…

PCI Requirement 8.1.6 – Limit Repeated Access Attempts by Locking Out User ID After No More Than Six Attempts

by Randy Bartels / December 19, 2022

Appropriate Account Lockout Mechanisms PCI Requirement 8.1.6 states, “Limit repeated access attempts by locking out the user ID after no more than six attempts.” Why is PCI Requirement 8.1.6 so important? Appropriate account lockout mechanisms cut off an attacker’s ability to continuously guess the password. Without the appropriate account lockout mechanisms in place, an attacker could attempt to guess account passwords until they’ve gained access. Take brute-force cracking, for example.…

PCI Requirement 8.1.5 – Manage IDs Used by Third Parties to Access, Support, or Maintain System Components via Remote Access

by Randy Bartels / December 19, 2022

Managing Third-Party Access PCI Requirement 8.1.5 focuses on managing third-party access to your system. In situations where you’ve given user IDs to third parties so they can access, support, or maintain system components through remote access, those accounts must be monitored. PCI Requirement 8.1.5 deems that accounts used by third parties should only be enabled during the time period needed, and then disabled when not in use. When they are…

PCI Requirement 8.1.4 – Remove/Disable Inactive User Accounts Within 90 Days

by Randy Bartels / December 19, 2022

Are User Accounts Actively In Use? PCI Requirement 8.1.4 calls out the need to remove/disable inactive user accounts within 90 days. Sounds pretty straightforward, right? PCI Requirement 8.1.4 is where a lot of organizations tend to struggle. It’s not about if the user has been terminated or left your organization, it’s about if the account has been actively in use. Extended vacations, sabbaticals, maternity leaves, medical leaves – factors like…

PCI Requirement 8.1.8 – Require Re-Authentication After 15 Minutes of Inactivity

PCI Requirement 8.1.7 – Set Lockout Duration to a Minimum of 30 Minutes

PCI Requirement 8.1.6 – Limit Repeated Access Attempts by Locking Out User ID After No More Than Six Attempts

PCI Requirement 8.1.5 – Manage IDs Used by Third Parties to Access, Support, or Maintain System Components via Remote Access

PCI Requirement 8.1.4 – Remove/Disable Inactive User Accounts Within 90 Days

Categories

Newsletter

Learn what you need to get started with our Audit Readiness Guide.