Yes, but use of any shared authentication credentials such as group, shared, or generic IDs (including for administrator accounts such as admin or root) must be prevented unless needed for an exceptional circumstance and must be managed in accordance with all elements of PCI DSS requirement 8.5 (andRequirement 8.2.2.

PCI DSS Requirement 8.2.2 applies to all shared authentication credentials, not only those used by administrators. The intent of the associated sub-requirements) appliesPCI DSS requirements for strict management of user identification and accounts (requirements under 8.2) and strong authentication (requirements under 8.3) is to administrators. As such, administrators are not allowedensure each user is uniquely identified such that every action taken is attributable to share passwords. The intent of requirementsan individual user ID. This allows organizations to maintain individual accountability for unique user IDs and complex passwordsactions and provide an effective audit trail per user ID. This will help speed issue resolution and containment if misuse or malicious use occurs.

For administrative functions, tools or password vaults can be used to facilitate management, security, and limited use of shared IDs, including confirming the identity of individual users and maintaining individual accountability and audit trails. A password vault is to ensure each useran example of a technology that can be used when a shared ID is uniquely identified?instead of using one ID and passwordneeded for several employees?so that an organization can maintain individual accountability for actions and an effective audit trail per employee. This will help speed issue resolution and containment when misuseemergency use or malicious use occurs. Often, this requirement for unique IDs and complex passwords is met within administrative functions by using, for example, “su” or SSH such that“break the glass” administrator initially logs on with their own unique ID and password, and then connects to the administrator account via “su” or SSH. Often direct root logins are disabled to prevent use of this shared administrative account. This way, individual accountability and audit trails are maintained. However, even with use of tools such as “su” and SSH, the actual administrator IDs and passwords should also meet PCI DSS requirements (if such accounts are not disabled) to prevent them from being misused.access.