User Access controls are an important requirement for you to maintain your PCI DSS compliance. User access controls must be implemented at the system (O/S), database, and application level.
For the application, each user must have their own unique user ID. The application does not utilize any or require the use of default accounts. The application itself does not have any default accounts and an initial user ID must be setup during the installation. Individual users must not share accounts, as this compromises accountability, as all activity performed by a user of the application is tied to their individual user ID.
To create a new user within the application, access the "Operator ID" menu accessible through Program Menu > Security > Operator ID’s. Now, select "Add". This will bring up the new user window. You will need to fill out all required fields. This process will be performed for each new user created.
If the user is a remote user (multi-user environment) a Windows user account is required and the new user’s password makeup must meet the following conditions:
•Passwords must be a combination of numeric and alphanumeric characters and require at least seven characters (PCI DSS 8.2.3).
The following password controls are enforced on all user passwords (initial user and those created after installation):
•a minimum history of the last four (4) passwords is maintained (PCI DSS 8.2.5); and
•Passwords expire every ninety (90) days (PCI DSS 8.2.4).
The following user lockout and session controls are enforced on all user types (initial user and those created after installation):
•accounts are locked out after no more than six (6) failed login attempts (PCI DSS 8.1.6);
•a minimum lockout duration of thirty (30) minutes is enforced (PCI DSS 8.1.7); and
•a session time out after fifteen (15) minutes is enabled (PCI DSS 8.1.8).