Are group, shared, or generic accounts, passwords, or other authentication methods prohibited as follows: Generic user IDs and accounts are disabled or removed; Shared user IDs for system administration activities and other critical functions do not exist; and Shared and generic user IDs are not used to administer any system components?
Are user password parameters configured to require passwords/passphrases meet the following? A minimum password length of at least seven characters; Contain both numeric and alphabetic characters. Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the specified parameters.
Are all users assigned a unique ID before allowing them to access system components or cardholder data?
Is access for any terminated users immediately deactivated or removed?
In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users? Something you know, such as a password or passphrase; Something you have, such as a token device or smart card; Something you are, such as a biometric