PCI Requirement 8.1.8 – Require Re-Authentication After 15 Minutes of Inactivity

by Randy Bartels / December 21st, 2017

Inactive Sessions

I’m sure you’ve witnessed or heard about situations where someone gets up from their workstation, but their session doesn’t log out. Inevitably, someone else uses their workstation to send an embarrassing or prank email on their behalf. But, what if it wasn’t something funny or embarrassing? What if a malicious user used your workstation and gained access to cardholder data? When users walk away from an open machine that has access to critical system components and/or cardholder data, that machine could be used by others in the user’s absence, resulting in unauthorized account access and/or misuse. This is where PCI Requirement 8.1.8 comes into play.

PCI Requirement 8.1.8 states, “If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.” This applies to your organization’s firewalls, routers, networking gear, and other equipment within your environment. An assessor will examine system configuration settings to verify that you require re-authentication after 15 minutes of inactivity. This doesn’t necessarily mean that the session has been terminated, but that the user will need to re-authenticate in order to access that session.

I’m sure we’ve all heard or seen about situations where somebody gets up from their workstation or laptop and it doesn’t log out. Somebody goes over and sends an email on their behalf about something embarrassing or whatever the case may be. We want to be sure that if you get up and walk away from your PC, that if your session has been idle for more than 15 minutes, that session times out.

From an operating system perspective, typically what we’ll look for is that you have a screensaver enabled. That screensaver needs to come on within 15 minutes. Once again, understand that this is not just about your workstation. If you’re going to be remoting into your firewalls, your routers, your networking gear, and all of the other equipment that you might have within your environment – those sessions are subject to this as well.

From an assessment perspective, we’re looking at how you’ve configured your firewalls, your routers, your servers, your applications, and if those sessions exceed 15 minutes or more, it should be timed out. This doesn’t necessarily mean that your session has been terminated, it just means you’re going to need to re-authenticate back into it in order to re-access that session.