User inactivity logout after 15 min
It would be great if standard users were logged out after 15 minutes of inactivity just like the PCI Administrator is. This would reduce security risks even more.
Particularly in CMS 10.0, our PCI security assessor determined that a user logged in as a non-PCI Admin user was not able to access credit card data so was really deemed a low threat and did not require further management.
That said, I agree it would still be nice to have CMS. For assorted reasons you want to make sure that your users are operating under their own credentials (inventory adjustments, adjusting customer credits, etc.) that are outside the scope of PCI but still important to the business.