6

I'm quite puzzled about the PCI requirements when it comes to session timeouts and scope definitions.

The login is the end user/customer login to the public facing control panel in which they can handle their own transactions. We act as PSP. The customer cannot see card numbers and expiry dates. They can simply capture already authorized payments and make subscription payments.

Requirement 6.5.10 states:

Incorporating appropriate time-outs and rotation of session IDs after a successful login.

Requirement 8 note states:

Note: These requirements are applicable for all accounts, including point-of-sale accounts, with administrative capabilities and all accounts used to view or access cardholder data or to access systems with cardholder data. This includes accounts used by vendors and other third parties (for example, for support or maintenance)

And requirement 8.1.18 states:

If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.

So my question is; does requirement 8 apply to the public facing web interface for customers (meaning that an appropriate timeout could be e.g. 60 minutes instead of just 15) or does it only apply to administrative access to the systems e.g. via SSH or an internal web interface only accessible by employees in scope.

15 minutes is a very short amount of time for session timeouts for our customers which are often web shops who handles orders as they come in. They need to log in over and over again during the day, since they do all their payment handling through our end user interface and not via the API.

Jeffery
  • 61
  • 1
  • 2
  • 2
    15 minutes is for the idle timeout, not a session timeout. – Greg Askew Jan 05 '16 at 15:02
  • 3
    That is kind of the same thing in web. The session timeout is refreshed upon every request, so if it is set to 15 minutes then it will timeout 15 minutes after the last action - meaning that it is also an idle timeout. – Jeffery Jan 07 '16 at 06:49

2 Answers2

1

The idle timeout does not only apply to administrative accounts or internal accounts. It applies to:

all accounts, including point-of-sale accounts, with administrative capabilities and all accounts used to view or access cardholder data or to access systems with cardholder data. This includes accounts used by vendors and other third parties (for example, for support or maintenance).

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf

Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65
Greg Askew
  • 111
  • 4
0

Requirement 6 talks about specifying an appropriate time and this needs to be balanced against the use case and security risk. If the session is one which is used to view or access cardholder data such as referenced in requirement 8, then the appropriate timeout is specified at 15 minutes within the standard. However, if the session is used by webshops for cardholder data submission on behalf of customer payments and not to view or access cardholder data or to access systems with cardholder data then the session timeout can be longer than 15 minutes.

You can make a decision considering risks and customer requirements what length of time that should be.

AndyMac
  • 3,149
  • 12
  • 21