We have an application that allows identification of the employee with only their fingerprint.

For the application to be compliant, are logins (not remote) with biometric devices such as fingerprint readers considered to be a substitues for a username/ password?

Thanks for any input!

Biometric access control is specifically permitted in PCI DSS 8.2, so yes you can.
However, you also need to ensure each user's actions are traceable to the user (PCI section 10).
For example, it's not compliant to have a single account with each individual having a finger registered as one of the "fingers" stored and recognised by the biometric product (most allow registration of several 'fingers' in case of injury, dirt etc affecting one finger).

lyalc

Thanks! That's one less re-write we have to do.

I just want to throw in my two cents commentary here... recently, my wife and I went to Universal Studios Orlando and at both of the parks offered there, they require fingerprint registration along with the admission pass which is bar-coded. I can't help but think of what will happen to my biometrics which I am assuming is a PII (personal identifiable info) which should be protected as such when they register my pass and tie it to my credit card that I used online to purchase and picked up the passes at one of their kiosks... would that be protected under PCI or under some other PII law I wonder?