Main Nav

We have a couple question regarding PCI SAQ D version 2.0. requirement 8.5.

Requirement 8.5:
"Are proper user identification and authentication management controls in place for non-consumer users and administrators on all system components, as follows...." [1]
1) We had proposed to use Active Directory (AD) to manage requirement 8.5. Does anyone have experience to indicate that AD will not work for this implementation?

2) Is anyone managing local user accounts, instead of AD user accounts, within their PCI implementation?  

Thanks for your input.


[1] there are 16 sub-requirements (8.5.1 - 8.5.16) that I did not paste into this e-mail, but maybe found on

Nicholas Recchia, Ed.D.
Security Administrator
ITS - Security Services

University of San Francisco
Lone Mountain North - 236a
2130 Fulton Street
San Francisco, CA 94117
ITS Help Desk, Phone: 415-422-6668, E-mail:
Fax: 415-422-6719