GRCWatch
Sign inStart free trial

PCI DSS 8.2.8: Re-Authentication Requirements for Idle User Sessions

Session hijacking and unauthorized access are common vectors for cardholder data breaches. PCI DSS 8.2.8 requires you to terminate inactive user sessions and force re-authentication after just 15 minutes of idle time. This control is non-negotiable for any organization handling payment card data.

What this means

This control mandates that any user session inactive for more than 15 minutes must be terminated, requiring the user to log in again before continuing work. The 15-minute threshold prevents attackers from exploiting unattended workstations or leftover sessions to access sensitive systems and cardholder data environments. This applies to all systems accessing the cardholder data environment (CDE), including administrative, remote access, and application-level sessions.

How to comply

  1. 1.Configure all systems and applications to track user activity and measure idle time accurately
  2. 2.Set session timeout parameters to 15 minutes or less of consecutive inactivity across all CDE-connected systems
  3. 3.Implement automatic session termination when the idle threshold is reached
  4. 4.Force users to re-authenticate with valid credentials (username/password or multi-factor authentication) to resume work
  5. 5.Document your session timeout configuration across all systems, including servers, databases, applications, and remote access tools
  6. 6.Test idle timeout functionality regularly to verify sessions terminate and re-authentication is enforced
  7. 7.Monitor session logs to identify and investigate any sessions exceeding the 15-minute idle period

Evidence auditors look for

  • System configuration files showing session timeout set to 15 minutes or less
  • Application settings screenshots displaying idle timeout parameters
  • Remote access tool (VPN, RDP, SSH) configurations with timeout rules enabled
  • Session and authentication logs demonstrating users were forced to re-authenticate after idle periods
  • Test results confirming sessions automatically terminate at the 15-minute mark
  • Policy documentation defining idle timeout requirements and exceptions (if any)
  • Monitoring reports showing compliance with idle session termination across the CDE

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically monitors idle session configurations across your entire CDE infrastructure, tests timeout enforcement, and generates audit-ready evidence—eliminating manual configuration tracking and session log analysis.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 8.1 — User Access Control PoliciesPCI DSS 8.2 — User Authentication and Access ManagementPCI DSS 8.3 — Multi-Factor Authentication for Administrative AccessPCI DSS 8.5 — Account Lockout and Password Reset ProceduresPCI DSS 10.2 — User Activity Logging and Monitoring