The main goal of this requirement is to ensure traceability to the individual.
Requirements 8.1. now cover user accounts and user identification, while 8.2. cover user authentication requirements.
All users must have a unique identifier (or account) in each in-scope system. No generic or shared accounts are allowed and existing ones must be removed or disabled (8.5). We must also have processes and procedures in place to add, delete and modify user accounts.
All users must be authenticated (have their identity confirmed) with at least one of the following authentifying factors (8.2):
- something you know - a password, passphrase or Personal Identification Number (PIN, in certain cases only)
- something you have - a token (e.g. RSA), a smart card, a smart phone, a certificate installed on a user-assigned computer
- something you are (biometrics) such as fingerprints, iris scans, etc.
For passwords or passphrases, these must be complex (which is a much larger topic that the PCI Guru has written on).
Special care must be taken with any administrative access. PCI DSS 3.2 now mandates that (IT) administrative access to systems in the CDE require multi-factor authentication (2 of the 3 described before) as it does for all remote access to the network by regular users (see Remote Access). It also includes controls for user account with access to databases containing CHD to protect and ensure traceability of access to CHD. Direct access to databases with CHD (per requirement 6.4.3, real PANs are not allowed on test systems) must be restricted to database administrators (DBAs). Application access to databases must be made through special single purpose accounts for the application. End-user must never have direct access to the database. All non-DBA accesses must be through programmatic methods (for example stored procedures, views or specific libraries) to properly control access, ensure adequate logging, and prevent attacks (for example injection attacks).
Requirements 8.3 and 8.6 are covered in the section on remote access.
Requirement 8.2.1 is partially covered in the section on secure transmissions.
Requirement 8.5.1 is covered in section on shared service providers.