PCI DSS 8.2.2: Restrict Shared Accounts to Exception Cases
Shared and generic accounts create accountability gaps and increase security risk in payment card environments. PCI DSS 8.2.2 requires organizations to eliminate shared accounts except when absolutely necessary and manage them with strict controls. This control is critical for maintaining user accountability and preventing unauthorized access to cardholder data.
What this means
Group, shared, or generic accounts must be limited to documented exception scenarios only. When shared accounts are necessary, they require enhanced management practices including documented business justification, restricted access, activity monitoring, and regular access reviews. Each user must maintain individual, non-shared accounts for standard operations.
How to comply
- 1.Audit all existing accounts and identify shared, group, or generic accounts currently in use
- 2.Document business justification for each shared account and obtain approval from management
- 3.Eliminate shared accounts that lack valid business reasons; migrate users to individual accounts
- 4.For necessary shared accounts, implement password management controls and change credentials when users leave
- 5.Restrict shared account permissions to minimum necessary for intended function
- 6.Enable and monitor activity logging for all shared account actions
- 7.Conduct quarterly reviews of shared accounts and their justifications
- 8.Remove access immediately when shared account users change roles or leave the organization
Evidence auditors look for
- Account inventory documenting all shared/group/generic accounts with business justifications
- Management approval records authorizing exception-based shared accounts
- Access control policies defining when shared accounts are permitted
- Activity logs showing all actions performed by shared accounts
- Password change records and rotation documentation
- Quarterly access review reports confirming continued necessity of shared accounts
- Termination records showing timely removal of access for departing users
- System configuration screenshots showing shared account restrictions and monitoring
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically discovers and inventories all shared accounts across your systems, flags those without documented exceptions, and tracks quarterly review completion—eliminating manual spreadsheet tracking for PCI DSS 8.2.2 compliance.
See how GRCWatch handles this control automatically
Start free trial