What should the system/session idle time out features be set to or less?

The appropriate configuration for system or session idle timeout features should be set to 15 minutes or less. Setting an idle timeout to 15 minutes is a security best practice aimed at minimizing the risk of unauthorized access. When a session is left active without user interaction, it becomes a vulnerability point where unauthorized individuals can exploit the access.

By enforcing a timeout of 15 minutes, organizations create a balance between usability and security. This timeframe is enough to accommodate brief interruptions without requiring constant re-authentication, while still mitigating the risk of session hijacking or unauthorized access after a period of inactivity. This aligns with the PCI DSS requirement that emphasizes session management to protect cardholder data and sensitive information.

Longer timeouts, such as 30 minutes, would not adhere to the best practice, as they increase the window of opportunity for a potential malicious actor to gain access to an unattended session. Therefore, the choice of 15 minutes effectively addresses the security concerns while providing a reasonable user experience.