WithPCI Logo
WithPCI.com

8.6.1 If accounts used by systems or applications can be used for interactive login, they are managed as follows:

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

8.6.1 If accounts used by systems or applications can be used for interactive login, they are managed as follows:

  • Interactive use is prevented unless needed for an exceptional circumstance.
  • Interactive use is limited to the time needed for the exceptional circumstance.
  • Business justification for interactive use is documented.
  • Interactive use is explicitly approved by management.
  • Individual user identity is confirmed before access to account is granted.
  • Every action taken is attributable to an individual user.

Customized Approach Objective

When used interactively, all actions with accounts designated as system or application accounts are authorized and attributable to an individual person.

Applicability Notes

This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

Defined Approach Testing Procedures

8.6.1 Examine application and system accounts that can be used interactively and interview administrative personnel to verify that application and system accounts are managed in accordance with all elements specified in this requirement.

Purpose

Like individual user accounts, system and application accounts require accountability and strict management to ensure they are used only for the intended purpose and are not misused.

Attackers often compromise system or application accounts to gain access to cardholder data.

Good Practice

Where possible, configure system and application accounts to disallow interactive login to prevent unauthorized individuals from logging in and using the account with its associated system privileges, and to limit the machines and devices on which the account can be used.

Definitions

Interactive login is the ability for a person to log into a system or application account in the same manner as a normal user account. Using system and application accounts this way means there is no accountability and traceability of actions taken by the user.

Refer to Appendix G for the definition of "application and system accounts."

purpose

Manage authentication for system accounts securely.

compliance strategies

  • System account inventory
  • Account lifecycle management

typical policies

  • System Account Policy

common pitfalls

  • Unmanaged system accounts
  • No periodic review

type

Technical Control

difficulty

Moderate

key risks

  • System compromise via unused accounts

recommendations

  • Automate system account reviews

Eligible SAQ

  • SAQ-A-EP
  • SAQ-C
  • SAQ-D MERCHANT
  • SAQ-D SERVICE PROVIDER

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy