Clarification of PCI DSS 3.1 requirement 6+8
I'm quite puzzled about the PCI requirements when it comes to session timeouts and scope definitions.
The login is the end user/customer login to the public facing control panel in which they can handle their own transactions. We act as PSP. The customer cannot see card numbers and expiry dates. They can simply capture already authorized payments and make subscription payments.
Requirement 6.5.10 states:
Incorporating appropriate time-outs and rotation of session IDs after a successful login.
Requirement 8 note states:
Note: These requirements are applicable for all accounts, including point-of-sale accounts, with administrative capabilities and all accounts used to view or access cardholder data or to access systems with cardholder data. This includes accounts used by vendors and other third parties (for example, for support or maintenance)
And requirement 8.1.18 states:
If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.
So my question is; does requirement 8 apply to the public facing web interface for customers (meaning that an appropriate timeout could be e.g. 60 minutes instead of just 15) or does it only apply to administrative access to the systems e.g. via SSH or an internal web interface only accessible by employees in scope.
15 minutes is a very short amount of time for session timeouts for our customers which are often web shops who handles orders as they come in. They need to log in over and over again during the day, since they do all their payment handling through our end user interface and not via the API.
