Passwords provide a universal method for enforcing basic authentication and access security with various IT security systems, applications, data, and other resources. The Payment Card Industry’s (PCI) regulations require that sensitive cardholder data be password protected by organizations that store, process, or transmit such information. The information necessary for constructing a company-wide PCI password policy can be found directly in the DSS Requirements.
Constructing Your Organization’s PCI Password Policy
The PCI’s Data Security Standards (DSS) outline the protections that merchants must adhere to when securing cardholder data via 12 Requirements. Requirement 2 specifies that merchants may “not use vendor-supplied defaults for system passwords and other security parameters.”
Requirement 8 and its sub-requirements cover many more password measures, specifying that you must “assign a unique ID to each person with computer access.”
Assigning unique identifiers serves two purposes:
- Passwords prevent unauthorized individuals from accessing systems, applications, and data.
- All activity conducted within your network may be traced according to the users’ ID.
If your users are privileged with administrative capabilities or access to stored cardholder data, PCI DSS compliance mandates that their accounts be secure. Implementing a company-wide PCI compliance password policy that upholds sufficient restrictions and complexities will help ensure that you maintain compliance.
PCI DSS Requirement 2一Changing Default Passwords
Proper password protections that adhere to the PCI DSS Requirement 2 merely necessitate changing the vendor-supplied default passwords upon implementing new hardware or software. Default passwords are never secure due to their basic nature (e.g., “PASSWORD”). Implementing a company-wide policy (and developing the habit) to update them immediately will help ensure your compliance efforts are successful.
While more in line with Requirement 8, companies should also institute a policy that requires sufficient complexity for all default passwords generated for new user accounts. Most user account’s default passwords follow a set format that others can easily identify via reverse or social engineering (e.g., a user’s last name followed by the first name’s initial two letters).
Default passwords generated according to a consistent format are never secure.
PCI DSS Requirement 8一Password and Authentication Specifications
The PCI’s Security Standards Council (SSC), which oversees DSS enforcement, categorizes Requirement 8 under the broader goal that states companies must “implement strong access control measures.” The sub-requirements for this DSS section elaborate on the efforts your company must make:
- Sub-requirement 8.1 – All system components must have defined and implemented policies and procedures that ensure proper user identification. Users must be assigned a unique username before accessing system components where cardholder data is stored.
- Sub-requirement 8.2 – Passwords must be rendered unreadable during transmission and storage, as well as adhere to one of three standard password categories:
- “Something you know” – exemplified by traditional passwords
- “Something you have” – exemplified by physical tokens or smartcards
- “Something you are” – exemplified by fingerprinted and other biometric methods
- Sub-requirement 8.3 – Users must complete a multifactor authentication (MFA) process to access cardholder data or the system components where it is stored. At a minimum, multifactor authentication requires two different password categories as described in 8.2. Companies must enforce multifactor authentication restrictions for:
- All administrative personnel with access to cardholder data environments (CDE) from within your network
- All administrators, users, and third parties with remote access to your company’s network
- Sub-requirement 8.4 – Authentication policies and procedures must be developed, implemented, and promulgated throughout your company.
- Sub-requirement 8.5 – Users must have unique IDs; IDs may not be shared by multiple users. Service providers and other third parties with access to multiple company’s CDEs must use unique credentials for each.
- Sub-requirement 8.6 – Any physical access security methods employees use, such as tokens or smartcards, must be assigned to their individual accounts.
- Sub-requirement 8.7 – All user access to databases that store cardholder data must be restricted according to the following security policies:
- User access must be through programmatic methods.
- Direct or query access must be restricted exclusively to database administrators.
- Application IDs specific to the database application must only be used by that application (i.e., not by users or non-application processes).
- Sub-requirement 8.8 – Security policies and operational procedures relevant to accessing CDEs must be documented, in-use, and known by all affected parties.
Requirement 8一Password Complexity and Storage Compliance
When maintaining a PCI compliance policy for your users’ passwords, enforce the following:
- Do not reuse user IDs, even if the previous use has expired.
- Restrict the number of failed login attempts a user may make and disable the account when they reach the set threshold.
- Delete all unused and unnecessary accounts that are not associated with an active user (i.e., “orphan accounts”).
- Auto-generate new passwords.
- Define minimum password complexity requirements and best practices clearly:
- Require a minimum of seven characters for a password.
- Require passwords to contain both letters and numbers.
- Require users to regularly update their passwords, setting expiration dates to occur every 90 days or less.
- Require users to input new passwords with each update (i.e., disable password reuse).
- Provide a resource for users to check their password complexity and strength.
- Educate users on the security dangers associated with reusing passwords across multiple accounts, especially for both professional and personal logins.
One method for instantly bolstering your authentication and credential security is encouraging your users to rely on “passphrases.” Effectively just longer passwords, passphrases offer users a double benefit with increased complexity and recollection ease. Any passphrase that also includes a number should meet the password complexity requirements for your PCI information security policy.
It’s much easier to remember a quote, song lyric, witty snippet, or other short phrases than the typical random strings that force users to write their credentials down, lest they forget them一an inherently unsecure practice. For example, consider the difference in difficulty when remembering the following passwords:
- Traditional, “super strong” alphanumeric password – B.QU2nze*8W8J
- Passphrase – Aren’t4TreeFrogsGreat?
The passphrase example above comprises 19 alphabetic characters and three special characters to deter brute-force intrusion attempts. The length isn’t an issue if it’s easy to remember, and complexity may be increased further by adding numbers and special characters as needed.
What is Multifactor Authentication?
As hinted at in the sub-requirements for Requirement 8, multifactor authentication employs a login process with two or more stages. The additional credentials ensure that even if one authentication method becomes compromised, an intruder will not be able to access your network. MFA is a critical component for any PCI compliance password policy.
The Payment Card Industry already utilizes MFA for debit cards and their associated PINs (i.e., Personal Identification Numbers). For example, even if a thief steals the card, successful usage requires the owner’s PIN; without the debit card or its primary account number (PAN), a PIN is useless.
True MFA requires that the different credentials belong to separate password categories (e.g., “something you know,” “something you have,” “something you are”). In addition to these credential options, MFA can utilize one-time passwords (OTPs) delivered to users’ phones via authenticator apps (e.g., Google Authenticator) or SMS. OTPs typically reset after a fixed period with a new, randomly generated code (e.g., every few minutes).
Professional Consultation on Your PCI Compliance Password Policies
RSI Security specializes in compliance and information security efforts, providing assessment, testing, and consultative expertise. For your PCI compliance policy and procedures, RSI Security is a Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV). If you have other regulations you must adhere to, RSI Security works with all major compliance efforts and frameworks (e.g., HITRUST, HIPAA, GDPR, and more).
Whether validating and attesting to your compliance or providing insight throughout your preparatory efforts, RSI Security offers everything you need to help ensure the process goes smoothly.
Contact RSI Security today to get started.
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.