Blog

PCI Requirement 8.1.4 – Remove/Disable Inactive User Accounts Within 90 Days

by Randy Bartels / December 19, 2022

Are User Accounts Actively In Use? PCI Requirement 8.1.4 calls out the need to remove/disable inactive user accounts within 90 days. Sounds pretty straightforward, right? PCI Requirement 8.1.4 is where a lot of organizations tend to struggle. It’s not about if the user has been terminated or left your organization, it’s about if the account has been actively in use. Extended vacations, sabbaticals, maternity leaves, medical leaves – factors like…

PCI Requirement 8.1.3 – Immediately Revoke Access for Terminated Users

by Randy Bartels / December 19, 2022

Protect Cardholder Data from Terminated Users We’ve all heard a horror story of a terminated employee or someone that has left the company discovering their account was left open or active, giving them access to your network, and malicious access to cardholder data occurred. PCI Requirement 8.1.3 seeks to keep situations like these from happening. PCI Requirement 8.1.3 states, “Immediately revoke access for any terminated users.” Once an employee has…

PCI Requirement 8.1.2 – Control Addition, Deletion, and Modification of User IDs, Credentials

by Randy Bartels / December 19, 2022

Addition, Deletion, and Modification of User IDs PCI Requirement 8.1.2 states, “Control addition, deletion, and modification of user IDS, credentials, and other identifier objects.” To meet PCI Requirement 8.1.2, there must be a formal program of control and someone within your organization must be responsible for the addition, deletion, and modification of user IDS and other credentials. Think about all of the addition, deletion, and modification that has occurred within…

PCI Requirement 8.1 – Define and Implement Policies and Procedures to Ensure Proper User Management

by Randy Bartels / December 19, 2022

Never Share User IDs and Passwords PCI Requirement 8.1 focuses on proper user identification management. If there’s no management of users within your system, you’ve lost accountability for the actions that take place within your systems. It’s hard to determine who has taken which actions if you cannot identify users. The PCI DSS states that having uniquely identified users, instead of using one user ID for several employees, allows organizations…

PCI Requirement 8: Identify and Authenticate Access to System Components

by Randy Bartels / May 31, 2023

What is PCI-DSS Requirement 8? PCI Requirement 8 focuses on two actions: identify and authenticate. These actions are critical to protecting your systems. When the PCI DSS describes system components in its requirements, it’s referring to internal and external networks, servers, and applications that are connected to cardholder data. This could be anything from firewalls to switches to databases. PCI Requirement 8 states, “Identify and authenticate access to system components.”…

PCI Requirement 8.1.4 – Remove/Disable Inactive User Accounts Within 90 Days

PCI Requirement 8.1.3 – Immediately Revoke Access for Terminated Users

PCI Requirement 8.1.2 – Control Addition, Deletion, and Modification of User IDs, Credentials

PCI Requirement 8.1 – Define and Implement Policies and Procedures to Ensure Proper User Management

PCI Requirement 8: Identify and Authenticate Access to System Components

Categories

Newsletter

Learn what you need to get started with our Audit Readiness Guide.