PCI-DSS Requirement 8 — Identify Users and Authenticate Access
Enforced by: PCI SSC
Current as of March 31, 2022
Plain Language Summary
PCI DSS v4.0: MFA required for ALL access to CDE (not just admins). Passwords must be at least 12 characters. Shared accounts prohibited. All CDE accounts reviewed every 6 months.
Two fundamental principles apply: establishing the identity of the user, and confirming through authentication that the entity is who it claims to be. Multi-factor authentication is required for: all non-console administrative access to the CDE; all remote network access originating from outside the entity's network; and in PCI DSS v4.0, all user access to the CDE. Passwords for CDE accounts must be at least 12 characters. Shared or group accounts are prohibited for CDE access.