If a session is idle for more than 15 minutes, what should happen?

• A. Require re-authentication after 60 minutes of inactivity.
• B. If a session is idle for more than 15 minutes, require re-authentication to re-activate the session.
• C. No re-authentication is required for idle sessions.
• D. Re-authentication only after 8 hours of inactivity.

Answer: (B)

Session management through idle-time re-authentication helps protect cardholder data by ensuring that an unattended workstation cannot be misused. When a user session sits idle for 15 minutes, requiring them to re-authenticate to re-activate confirms the current user is still legitimately active and prevents someone else from taking over an open session. This tightens protection against session hijacking and accidental exposure when devices are left unattended. The other options either delay re-authentication too long, claim no re-auth is needed, or require re-authentication after an even longer period, all of which increase risk. So, re-authenticate after 15 minutes of inactivity.