Where applicable, the use of generic and shared accounts to administer systems or perform critical functions is prohibited; generic user IDs are disabled or removed.
Use of shared or generic accounts limits the ability to ensure authenticity and integrity. Someone outside the organization could exploit this and their actions could not be easily traced.
This control applies to all systems within our production environment that are in-scope for PCI compliance.
Review and document required accounts for a given system and disable all unnecessary accounts. Use of shared accounts should not used. If unavoidable, compensating controls should be utilized to add accountability.
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Shared Account Restrictions control issue.
Examples of evidence an auditor might request to satisfy this control: