GRCWatch
Sign inStart free trial

PCI DSS 8.3.8: Communicating Authentication Policies to All Users

Authentication policies mean nothing if your users don't understand them. PCI DSS 8.3.8 requires organizations to document and communicate authentication procedures to every user—a foundational step that prevents credential misuse and strengthens your security posture. Without clear communication, users default to weak practices, leaving your cardholder data at risk.

What this means

This control mandates that your organization create written authentication policies and actively communicate them to all users with access to cardholder data environments. It's not enough to have policies locked in a manual—they must be documented in clear language and delivered to staff in a way that ensures understanding and acknowledgment. This includes password requirements, multi-factor authentication rules, access request procedures, and consequences for non-compliance.

How to comply

  1. 1.Document your complete authentication policy, including password complexity, expiration, reuse restrictions, and any MFA requirements.
  2. 2.Define and document authentication procedures for all user types: employees, contractors, administrators, and vendors.
  3. 3.Communicate policies through multiple channels—employee handbooks, onboarding training, email campaigns, and intranet postings.
  4. 4.Require written acknowledgment from all users confirming they have received, understood, and agree to follow authentication policies.
  5. 5.Include authentication policy details in your incident response plan and disciplinary procedures.
  6. 6.Review and update policies annually or when security requirements change; re-communicate updates to all users.
  7. 7.Maintain records of policy distribution and user acknowledgment for audit evidence.

Evidence auditors look for

  • Signed policy acknowledgment forms or attestations from all users (digital or printed).
  • Employee handbook or security policy document with authentication section dated and version-controlled.
  • Email communications or memos distributing authentication policy updates with delivery/read receipts.
  • Training records showing authentication policy coverage in onboarding or annual compliance training.
  • Screenshots or printouts of intranet or shared drive postings displaying authentication policies.
  • HR records documenting when new hires received and acknowledged authentication policies.
  • Policy change logs showing review dates and communication of updates to the workforce.

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates policy distribution and user acknowledgment tracking, generating audit-ready proof that every team member received and confirmed authentication policies—eliminating manual spreadsheets and acknowledgment follow-ups.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 8.1 — User Identification and AuthenticationPCI DSS 8.2 — Assign Unique User IDsPCI DSS 8.3 — Restrict Access by Business Need to KnowPCI DSS 8.5 — Prevent Reuse of Authentication CredentialsPCI DSS 12.6 — Formally Address Information Security in Policies