8.5 Ensure proper user authentication and password management for non-consumer users and 
administrators on all system components as follows: 
8.5.1 Control addition, deletion, and modification of user IDs, credentials, and other identifier 
objects 
8.5.2 Verify user identity before performing password resets 
8.5.3 Set first-time passwords to a unique value for each user and change immediately after 
the first use 
8.5.4 Immediately revoke access for any terminated users 
8.5.5 Remove inactive user accounts at least every 90 days 
8.5.6 Enable accounts used by vendors for remote maintenance only during the time period 
needed  
8.5.7 Communicate password procedures and policies to all users who have access to 
cardholder data 
8.5.8 Do not use group, shared, or generic accounts and passwords 
8.5.9 Change user passwords at least every 90 days 
8.5.10 Require a minimum password length of at least seven characters 
8.5.11 Use passwords containing both numeric and alphabetic characters 
8.5.12 Do not allow an individual to submit a new password that is the same as any of the last 
four passwords he or she has used 
8.5.13 Limit repeated access attempts by locking out the user ID after not more than six 
attempts 
8.5.14 Set the lockout duration to thirty minutes or until administrator enables the user ID 
8.5.15 If a session has been idle for more than 15 minutes, require the user to re-enter the 
password to re-activate the terminal 
8.5.16 Authenticate all access to any database containing cardholder data. This includes access 
by applications, administrators, and all other users