The standard time for logging out a user from a fintech app due to inactivity is not universally fixed by cybersecurity frameworks, but there are general guidelines and best practices provided by major standards like ISO/IEC 27001, PCI-DSS, and other cybersecurity and regulatory frameworks.
1. ISO/IEC 27001 (Information Security Management)
ISO/IEC 27001 does not explicitly mandate a specific logout timeout period, but it does require organizations to implement security controls that protect against unauthorized access. The standard calls for organizations to establish proper access control measures, which may include session timeouts after a defined period of inactivity.
- Control Objective: Ensure users are automatically logged out after a predefined period of inactivity.
- Best Practice: A common recommendation is to set timeouts between 5 to 15 minutes of inactivity for sensitive applications, based on risk assessment.
2. PCI-DSS (Payment Card Industry Data Security Standard)
PCI-DSS provides specific requirements for logging out users after inactivity, especially for systems that handle payment card information. According to PCI-DSS v4.0 (Section 8.1.10):
- Timeout Period: For systems that store, process, or transmit cardholder data, the standard recommends that the application should automatically log out users after 15 minutes of inactivity.
- Exception for High-Risk Environments: In environments where sensitive data is accessed, session timeouts should be set to less than 15 minutes to minimize the risk of unauthorized access.
3. NIST (National Institute of Standards and Technology)
NIST guidelines, particularly from NIST SP 800-53 (Security and Privacy Controls for Federal Information Systems), also recommend automatic session termination after inactivity.
- NIST SP 800-53 (AC-12): It suggests a session timeout of 15 minutes for systems requiring higher levels of security, particularly where access to sensitive data is involved.
- Additional Recommendations: NIST also allows customization based on risk assessments, with shorter timeouts for higher-risk applications.
4. Other Regulations (e.g., GDPR, HIPAA)
For financial apps or fintech apps operating in regulated environments, like those governed by GDPR or HIPAA, inactivity timeout is often treated as a risk management decision rather than a prescriptive rule. However, the principle remains that systems should implement sufficient controls to protect sensitive data from unauthorized access.
Best Practices
- Timeout Period: Most commonly, the recommended inactivity timeout is between 5 to 15 minutes. For highly sensitive applications (e.g., fintech platforms that handle financial transactions or PII), a more conservative timeout (e.g., 5 minutes) may be appropriate.
- Session Re-authentication: If an app needs to extend the session beyond the inactivity timeout, it is recommended to require re-authentication (such as re-entering credentials or using multi-factor authentication) before re-establishing a session.
Summary
- PCI-DSS: 15 minutes inactivity timeout (with flexibility depending on risk).
- ISO/IEC 27001: Does not specify, but recommends implementing access controls based on risk assessment.
- NIST SP 800-53: Typically 15 minutes of inactivity.
- Best Practice: A range of 5 to 15 minutes, adjusted based on the risk and sensitivity of the app’s data.
For fintech apps, itβs essential to balance security with user experience, adjusting the timeout period according to the app’s risk profile and the type of data involved.
