Diff: FAQ #1072
What is the purpose of requiring account lockout, per PCI DSS requirement 8.5.14?
Earlier Version
Later Version
Removed
Added
The intent of thisPCI requirementDSS Requirement 8.1.6 and 8.1.7 is to prevent ana unauthorizedmalicious personuser from using an unattended console/PC to gaingaining access to theusers' user’saccounts, computerby continually trying to guess a user's password over and accounts,over. The lockout occurs after no more than six consecutive failed login attempts, and potentiallyremains in place for at least 30 minutes or until reset by the administrator. These lockout parameters are the minimum to thebe company’simplemented; network.
Thismore doesstringent not prevent legitimate activities from being performed while the console/PC is unattended. For example, if a user needs to run a program from an unattended computer, they can login to the computer to initiate the program, and then ?lock? the computer so that no one else can use their login while the computer is unattended. An example of how to meet this requirement includes configuring an automated screensaver to launch whenever the console has been idle for 15 minutes, and requires the logged-in user to enter their password in order to unlock the screen.
Note: For critical systems (for example, systems that perform security functions or have access to sensitive data), itparameters may be appropriate to reduce the time that the system is idle before the console is locked.
(Note:used.Note: PCI DSS Requirement numbers refer to PCI DSS version 3)3.
This
Note: For critical systems (for example, systems that perform security functions or have access to sensitive data), it
(Note:
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.