Payment Credit Industry Data Security Standards (PCI-DSS) regulate all companies that handle or store cardholder data. This makes PCI-DSS a core concern for virtually all online sellers.
Password hygiene is one of the most important aspects of PCI regulations. Compliant organizations need password policies that meet PCI-DSS requirements. But what does this mean in practice? How can organizations change their policies to achieve compliance?
This article will explain the main PCI-DSS password requirements. Our PCI DSS checklist will list the actions needed to meet industry regulations and secure cardholder data. We will provide the information required to solve the password part of the data security puzzle.
Understanding the PCI DSS password requirements
Password security is a familiar part of general cybersecurity systems. And achieving compliance with PCI password requirements is not complex. But compliant organizations need to be thorough. Many steps and measures are involved, and this checklist covers them all.
Requirement 1: Use strong passwords
A strong password is almost impossible to guess and is not related to information about the individual user. PCI-DSS security standards include a strict set of criteria for strong passwords. And every user on the network needs to fulfill these rules:
Password length. Passwords should be at least seven characters long. This is a minimum password length. Ideally, organizations will demand longer passwords. More than 12 characters are optimal, and going beyond the minimum length is preferable. The more characters there are in a password, the more computations are needed to carry out brute-force attacks. So extending password lengths makes sense.
Password complexity. Password complexity refers to the use of diverse characters to create passwords. Users should not rely on weak passwords made solely from alphabetic characters. Administrators must require a mixture of upper and lower case letters. Users should add at least one number and a special character.
It is important to enforce both complex passwords and diverse characters. Left alone, users often resort to long dictionary words. These terms are generally seen as weak passwords. They are easy to remember, but also easy to guess. Blending long and diverse terms solves this problem.
Requirement 2: Choose unique passwords
Passwords should be unique to each user. Users should not share passwords on the same account. Each user must have their ID and password, and breaches of this policy should result in disciplinary action.
Users should not use the same password on different services – even services used in their personal life. Many people rely on familiar terms to make life simpler. But this is extremely risky. If attackers force credentials on one platform, they can access the user's logins across all other gateways.
Requirement 3: Regularly change user passwords
Eventually, all passwords are compromised. PCI-DSS password requirements solve this problem by demanding regular password changes for every network user.
The PCI regulations state that users should change their passwords every 90 days. Administrators should not rely on user initiative to make changes. The 90-day limit should be part of a compliant password policy. Users should receive reminder emails before expiry. And access should be denied if changes are not made within the time limit.
Admins should also prevent recycled passwords. Users may alternate between two passwords for convenience. But this is risky from a security perspective.
Requirement 4: Encrypt password data
Organizations must encrypt all password data at rest on their servers, or ensure that cloud service providers encrypt hosted data. Encryption should also apply to password data in transit across network infrastructure. Use 256-bit encryption that has no known weaknesses, and use secure storage to restrict access to encryption keys.
Requirement 5: Exclude users after failed login attempts
The password policy should include measures to guard against illegitimate logins. PCI standards state that users should have a maximum of six login attempts.
The system denies access if they fail to provide the right credentials. The user is then denied access until they change their password via secure channels. Denial of access is preferable to locking users out for specific periods. Users will need to inform administrators of the issue. Admins can then check for potential threats and take necessary action.
It's also important to ensure that users do not recycle compromised passwords. Users often resort to familiar passwords to make life simpler. But compromised passwords will always represent a security risk. Automate systems that reject previously used passwords and prompt users to choose a new term.
Requirement 6: Enforce session timeouts
Inactive users pose a critical security threat, and this is recognized by PCI standards. Inactivity could be evidence that employees have left their workstations. If they are working remotely, security teams have no way of knowing whether the device is exposed during their period of absence.
To achieve PCI compliance, administrators should automatically exclude users after 15 minutes of inactivity. Alerts can inform users if the timeout is approaching, but enforcing timeouts is a good way to minimize data breach risks.
Requirement 7: Change all vendor default passwords
Companies rely on third-party apps and devices within their cardholder data environment. All of these services come with default settings, including passwords. And these passwords are usually either publicly available or easy to guess.
Attackers can easily gain access to credit card data if admins fail to change default passwords. Make these changes part of your basic security policies. And enforce unique passwords for all assets.
Are the PCI password requirements sufficient to prevent cyber attacks?
PCI-DSS password regulations should not be seen as a comprehensive shield against cyber attacks. The regulations seek to protect cardholder data and reduce basic data breach risks. But without reinforcement, they leave significant gaps for attackers. Relying on PCI-DSS rules is a risky strategy.
Passwords are also not the only critical cybersecurity issue. Companies need strategies to harden network devices and protect the network edge. Firewalls, threat detection systems, and access management all have roles to play.
Remote access is also an important security risk. Strong passwords cannot eliminate security risks related to remote work. Companies need to use secure gateways and Virtual Private Networks to encrypt traffic. And they also need to train employees to prevent phishing attacks. Password policies are irrelevant if staff compromise network assets by clicking on malicious links.
How can PCI password requirements be enhanced?
1. Put in place multi-factor authentication (MFA)
MFA and two-factor authentication (2FA) add another set of barriers to unauthorized entry. Both systems require additional credentials before allowing access requests.
There are many ways to design a multi-factor authentication solution. For example, two-factor authentication could include one-time codes delivered via electronic tokens or smartphones. MFA can also leverage biometric factors such as retina and fingerprint scans.
MFA best practices advise against applying authentication factors without careful planning. It's important to streamline access as much as possible. If the user experience is too complex, users can work around authentication systems via insecure solutions. So weigh up the benefits of MFA vs 2FA and take your business context into account.
Focus on protecting critical parts of the cardholder data environment (CDE). This will meet PCI-DSS requirements and limit the need for time-consuming authentication processes in other parts of the network.
2. Use a secure password manager
Password managers automate many PCI password requirements and make life easier for both administrators and users. A password manager solution will:
Generate strong and unique terms automatically.
Ensure that passwords are not recycled.
Prohibit password sharing between different accounts.
Store password data securely via encryption.
Streamline user requests to change passwords or solve access problems.
With a password manager, users can autofill login forms without compromising security. Passwords are not stored locally. They are protected by watertight encryption, preventing wholesale credential theft.
Cutting-edge password managers combine these functions with passkey holders. These secure authentication tokens remove the need for character-based passwords and work well with mobile devices.
3. Use threat intelligence tools to screen leaked passwords
Cyber attackers routinely steal and sell user credentials. But targeted organizations are not always aware of leaks. This opens the door to attacks via stolen passwords. Attackers can simply hijack existing accounts without users or admins knowing about their activity.
Threat intelligence databases offer a solution. These tools constantly monitor the Dark Web and other markets for stolen credentials. They deliver automated alerts when network users seek to use stolen passwords. And they enforce password changes if they detect a match.
4. Maintain a password blacklist
Users often fall back on basic passwords to streamline access. But this is far too risky from a PCI compliance perspective. Companies should leverage all available tools to eliminate basic passwords from their databases. And blocking commonly used terms is a good place to start.
Password blocklists include the most popular terms (such as "ABC123" or "default" for example). You can change blocklist settings to add common dictionary words. And you can make blocking context-specific. For instance, you might want to block any terms related to the user's job role, name, or location
Conclusion: meet PCI password requirements with careful planning
An effective password policy is a critical part of PCI compliance. PCI-DSS regulations require organizations to demand strong, regularly changed passwords. Compliant companies must encrypt password data, manage failed logins, and enforce timeouts for inactive users. And sharing user passwords is completely prohibited.
Multi-factor authentication, password managers, and threat intelligence tools add extra security. They may not be necessary for lower-level PCI compliance. But at higher PCI levels these additional tools are essential.
Putting in place these measures requires planning. All users must be covered by the password policy, including third parties with CDE access. And admins need to assess vendor-supplied apps to remove default passwords.