Sub-Requirement 8.1 and 8.5.8

• 8.1 Identify all users with a unique username before allowing them to access system components or cardholder data
• 8.5.8 Do not use group, shared, or generic accounts and passwords

Illustrative Controls and the TIBCO LogLogic Solution

All users (internal, external and temporary) and their activity on IT systems (business application, system operation, development and maintenance) should be uniquely identifiable. Ensuring all users have uniquely identifiable IDs enables the maintenance of accurate and complete audit trails. Deficiencies in this area can significantly impact accountability.

To satisfy this requirement, administrators must ensure all logins are unique and not shared. Administrators must review user lists to identify IDs that may be generic or shared and develop plans to eliminate this shared access. Administrators should report on logins using known default administrative-level accounts as well (including “Administrator” on Windows systems and ‘root’ on Unix systems). These accounts are by definition shared, and direct access with these accounts should be disallowed.

Reports and Alerts

Use the following link/reference to see the 8.1 and 8.5.8 reports and alerts:

8.1 and 8.5.8 on page 120.