Tuesday, September 20, 2016

What are the rules for passwords in PCI 3.0?

I find that a question with surprisingly frustratingly fuzzy (conflicting/ambiguous) answers. Here is what I would think they would be based upon an aggregate of various sources.

  1. Passwords should be at least seven characters long containing an uppercase letter, a lowercase letter, a number, and also at least one special character, and by special characters we are specifically talking about at symbols, pound signs, carats, and exclamation and question marks. Moreover, asterisks, ampersands, spaces, and plus and percentage symbols should be disallowed. They are less special in this light. Source: https://limoanywhere.uservoice.com/knowledgebase/articles/170461-what-are-the-password-requirements-for-pci-complia
  2. A user cannot use his/her username as his/her password. Source: https://limoanywhere.uservoice.com/knowledgebase/articles/170461-what-are-the-password-requirements-for-pci-complia
  3. Passwords must expire every ninety days. Source: https://limoanywhere.uservoice.com/knowledgebase/articles/170461-what-are-the-password-requirements-for-pci-complia
  4. Users may not reuse any of the last four passwords when changing a password. Source: http://searchsecurity.techtarget.com/answer/Password-compliance-and-password-management-for-PCI-DSS
  5. There may not be shared passwords across multiple users or any other communalbowlesque approaches to breaking in. Source: http://searchsecurity.techtarget.com/answer/Password-compliance-and-password-management-for-PCI-DSS
  6. Do not use any canned defaults for first time passwords. Source: https://thycotic.com/solutions/pci-dss-compliance/
  7. First time passwords must have unique values and you should also force users to change the first time passwords to something else upon first login. Source: http://www.slideshare.net/nFrontSecurity/pci-password-policy-compliance-31299104
  8. Use strong cryptography standards and not, for example, plain text passwords in your recordkeeping. Source: Section 8 of "PCI DSS Quick Reference Guide Show" as listed at https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss
  9. There should be two-factor authentication. Source: Section 8 of "PCI DSS Quick Reference Guide Show" as listed at https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss

This has more on two-factor authentication.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)