1

Section 8.5.15 reads:

If a session has been idle for more than 15 minutes, require the user to re-enter the password to re-activate the terminal.

Section 8 Accompanying note reads:

These requirements are applicable for all accounts, including point-of-sale accounts, with administrative capabilities and all accounts used to view or access cardholder data or to access systems with cardholder data. However, Requirements 8.1, 8.2 and 8.5.8 through 8.5.15 are not intended to apply to user accounts within a point-of-sale payment application that only have access to one card number at a time in order to facilitate a single transaction (such as cashier accounts).

The contradictory statements are:

applicable for all accounts

to access systems with cardholder data

and

are not intended to apply to user accounts within a point-of-sale payment application that only have access to one card

The way I read this is that the requirement does not apply to any account that has nothing to do with credit card or administrative functions that could lead them to gain access to credit cards. So, for example, an account with a function to send e-mails to my customers would be out of scope.

Would appreciate it if someone could help validate-invalidate my interpretation and clarify why I'm wrong if I am.

Community
  • 1
François Lamarre
  • 147
  • 1
  • 7

1 Answers1

3

Yes, your understanding is pretty close.

That accompanying note is intended to clarify exactly that point: those requirements apply only to accounts that have access to multiple cards.
I.e. a cashier application, that accepts a single card at a time (and cannot access historical data!), is out of scope.
I.e. your account that can only send emails (assuming there is no access to the customers CHD) is out of scope.

AviD
  • 72,138
  • 22
  • 136
  • 218