What Are the PCI DSS Password Requirements?

PCI DSS is the cybersecurity standard that retailers must follow to assure the security of their customers’ credit card data. PCI DSS has many components, but among the most critical is a requirement for strong passwords. 

In this article, we’ll explore the fundamentals of PCI DSS and its password requirements, so that your organization can improve its compliance with PCI DSS and remain an active player in the modern commercial world.

What Is PCI DSS?

PCI DSS is shorthand for the Payment Card Industry Data Security Standard. It’s a set of security standards and requirements established by major credit card brands (Visa, MasterCard, American Express, Discover, and JCB,) to keep payment card data secure from data breaches and other cybersecurity threats.

PCI DSS provides a framework for organizations that process, store, or transmit credit card data so that those businesses can maintain a secure environment. The standard outlines specific security measures and best practices that organizations must follow to protect cardholder data and maintain the trust of cardholders.

What Is PCI Compliance?

PCI compliance encompasses standards and guidelines established to assure the secure handling of payment card information and maintain a secure cardholder data environment (CDE). 

These standards include various obligations, such as the development of data security protocols for both the business and its personnel, and the removal of payment card data from processing systems and payment terminals.

What Are the PCI Password Requirements?

To be PCI compliant, organizations must follow these requirements:

• Passwords (or passphrases) must have a minimum length of seven characters.
• Passwords must contain both numbers and alphabetic characters.
• Users are required to change passwords/passphrases at least every 90 days.
• Password parameters must be set to require the new password/passphrase to be different from the previous four passwords.
• First-time passwords for new users and reset passwords for existing users must be unique to each user and changed after the first use.
• Limit repeated access attempts by locking out the user ID after not more than six attempts.
• Once a user is locked out of his or her account, the account remains locked for a minimum of 30 minutes or until a system administrator resets the account.
• Vendor-supplied defaults for system passwords are not allowed, so unique passwords are necessary.
• Passwords must be encrypted during transmission and storage.

The PCI DSS password requirements are designed to balance complexity and strength to accommodate a wide range of companies employing diverse technologies.

The PCI Security Standards Council, which developed the PCI standards for compliance, encourages enterprises to implement stronger controls or additional security measures to meet their individual security needs.

Companies adhering to PCI DSS can implement controls that go beyond the standard, such as those included in NIST 800-53, a cybersecurity framework from the National Institute of Standards and Technology. The only requirement is that the controls you implement must also adhere to the  PCI password policy.

What Are the Password Requirements for PCI Level 1?

PCI has four levels of compliance, depending on the volume of credit card transactions you process. PCI Level 1 is the highest and most stringent level of compliance with the PCI DSS. 

Compliance requirements do differ somewhat depending on the credit card company. For example, Visa requires PCI Level 1 compliance for merchants that process more than 6 million transactions annually, while American Express sets PCI Level 1 compliance at more than 2.5 million transactions annually.

In addition to the PCI DSS password requirements above, PCI Level 1 also requires the following:

• Passwords and authentication codes must be a minimum of seven characters.
• Passwords and authentication codes should be unique for each device. In cases where dual control is necessary, the codes must be unique for each user by design and not by coincidence.
• If any passwords are set to vendor defaults, they must be configured to expire upon initial use, forcing users to change them immediately.
• Passwords and authentication codes must be distinct for each user on a specific device, assuring that no two users share the same authentication credentials.

What Is PCI DSS 4.0?

The current PCI DSS standard, Version 3.2.1, expires at the end of March 2024. From then forward, PCI DSS compliance assessments must follow the newest PCI DSS standard, Version 4.0. PCI 4.0 focuses on making cardholder data even safer by encouraging organizations to look at security and access controls in a more comprehensive way.

Getting ready for PCI 4.0 will require a substantial effort because the updated standard introduces new controls. These include:

• A new requirement for the frequency of malware scans as part of the organization’s targeted cybersecurity risk analysis.
• An automated technical solution to continually detect and prevent web-based attacks on public-facing web applications.
• Robust management of all payment page scripts that load and execute in the consumer’s browser.
• Disk-level encryption will no longer be the sole option for protecting stored cardholder data.
• More stringent multi-factor authentication (MFA) controls.
• New requirements for keyed cryptographic hashes.
• Deployment of automated technical solutions for web applications to both discover and prohibit web-based attacks.

What Are PCI 4.0 Password Requirements?

Below are some new PCI 4.0 password requirements aimed at strengthening password security and access controls.

1. Increased minimum password length

PCI 4.0 introduces a new requirement for password management, focusing on password changes and the implementation of strong passwords. Passwords must now consist of 12 characters with special characters, uppercase, and lowercase letters. (If the system doesn’t support 12 characters, a minimum length of 8 characters is acceptable.)

This requirement aims to enhance the strength of passwords by imposing a longer minimum length. Longer passwords are generally more resistant to brute-force attacks and provide greater security.

2. Password/passphrase change or dynamic access control

When passwords or passphrases are the sole authentication factor for customer user access, they must either be changed at least once every 90 days or access must be determined dynamically by analyzing the security posture of the accounts.

This requirement doesn’t apply to accounts of consumer users accessing their payment card information.

3. Mandatory multi-factor authentication (MFA)

PCI 4.0 mandates the implementation of multi-factor authentication (MFA) for all access into the Cardholder Data Environment (CDE). 

By making MFA mandatory, PCI 4.0 enhances access security. It helps to assure that even if one factor (such as a password) is compromised, unauthorized access is still prevented due to additional, independent factors (such as biometric data).

4. Management of system or application accounts

PCI 4.0 introduces a new requirement for managing system or application accounts that can be used for interactive login. This requirement underscores the need for strict management of accounts that can be interactively accessed. Such accounts, if not properly managed, can pose serious security risks.

5. Prohibition of hard-coding passwords

PCI 4.0 forbids the practice of hard-coding passwords or passphrases into files or scripts for any system accounts that can be used for interactive login. This requirement enforces the best practice of avoiding hard-coded passwords or passphrases, which hackers can easily exploit.

6.  Protection of application and system account passwords

PCI 4.0 also requires that passwords for application and system accounts be protected against misuse. Misuse can include improper access, sharing, or any action that compromises the security of the credentials. Implementing measures to protect against misuse assures the integrity and security of these critical accounts.

Meet PCI DSS 4.0 Compliance With ZenGRC

The Reciprocity ZenGRC platform streamlines PCI DSS compliance. It helps to eliminate unnecessary bottlenecks and reduces the time and resources required for compliance assessment. Plus, ZenGRC operates as a continuous monitoring system that provides real-time status of your networks and systems against the intricate PCI DSS 4.0 standards.

Sign up for a demo to see how ZenGRC can help your organization remain at the forefront of PCI DSS compliance.