PCI DSS 8.2.1: Assign Unique IDs to All Users
User identification is foundational to PCI DSS compliance. Control 8.2.1 requires assigning unique IDs before any user accesses system components or cardholder data—ensuring accountability and non-repudiation. This control eliminates shared accounts and anonymous access, making it impossible to trace actions to responsible individuals.
What this means
Every user who touches your systems or cardholder data must have a distinct, individual identifier before they're granted access. This means no shared login credentials, no generic accounts, and no anonymous access. Unique IDs create an audit trail linking actions to specific users, critical for detecting unauthorized activity and proving compliance during assessments.
How to comply
- 1.Document all users requiring system and cardholder data access
- 2.Implement a user provisioning process that assigns unique identifiers before granting access
- 3.Configure identity management systems to enforce one-to-one user-to-ID mapping
- 4.Disable or remove all shared, generic, and default accounts from production systems
- 5.Audit active user accounts quarterly and remove or disable unused accounts
- 6.Establish naming conventions for user IDs (e.g., firstname.lastname, employee ID)
- 7.Maintain records of user IDs assigned, dates assigned, and authorization approvals
Evidence auditors look for
- User account listing from Active Directory or identity provider showing unique usernames
- System access logs documenting individual user activities with unique ID attribution
- User provisioning requests and approval documentation with assigned unique identifiers
- Audit reports showing zero shared or default accounts in production environments
- User lifecycle management records (creation, modification, deprovisioning dates)
- Role-based access control (RBAC) configuration assigning permissions to unique user IDs
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
See how GRCWatch handles this control automatically.
See how GRCWatch handles this control automatically
Start free trial