Frequently Asked Question

What is the purpose of requiring consoles/PCs to become “locked” after 15 minutes of idle time, per PCI DSS Requirement 8.1.8?

The intent of this requirement is to prevent an unauthorized person from using an unattended console/PC to gain access to the user's computer and accounts, and potentially to the company's network.

This does not prevent legitimate activities from being performed while the console/PC is unattended. For example, if a user needs to run a program from an unattended computer, they can login to the computer to initiate the program, and then “lock” the computer so that no one else can use their login while the computer is unattended. An example of how to meet this requirement includes configuring an automated screensaver to launch whenever the console has been idle for 15 minutes, and requires the logged-in user to enter their password in order to unlock the screen.

Note: For critical systems (for example, systems that perform security functions or have access to sensitive data), it may be appropriate to reduce the time that the system is idle before the console is locked.

(Note: PCI DSS Requirement numbers refer to PCI DSS version 3)

July 2014
Article Number: 1147