PCI DSS password policy requirements

What is the PCI DSS?

At the end of 2004, five major credit card companies—namely American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.—joined together to create the Payment Card Industry Data Security Standard (PCI DSS) in an attempt to curb data fraud in the finance sector. Any organization that wants to process, store, or transmit credit card data must ensure that they comply with the mandated PCI DSS password policy requirements.

What are the PCI DSS password requirements?

To be PCI DSS compliant, organizations must enforce the password policy requirements mentioned in section 8 of the PCI DSS regulations. This section dealing with identity and access management has undergone considerable changes in 2022 based on the NIST 800-63B password guidelines. The following are the latest password policy requirements that the PCI DSS states:

1. A password must have a minimum of 12 characters.
2. Passwords must be alphanumeric in nature and be stored or transmitted with encryption.
3. Passwords must be changed every 90 days and must not be a repetition of the previous four passwords.
4. In scenarios where a password is generated for the user because the user is new or sometimes during a password reset, the generated password must be unique for every user and it must be changed after the first use.
5. The allowed number of failed logon attempts must be limited to 10. If a user gets locked out of their account, their account should remain locked for 30 minutes or until a system administrator resets their account.
6. The default vendor-supplied passwords or passphrases are not allowed and must be changed.
7. Users must be authenticated with stringent MFA techniques.
8. MFA is a requirement for non console access to the cardholder data environment (CDE) for administrators accessing all network and system components of CDE.
9. For remote access, MFA can be used for either system/application or network level. While this has been specified as a best practice till 2025, it will be an audit requirement afterwards.

These PCI DSS password requirements address password complexity and strength only on a basic level so that they can accommodate the variation in technology between companies. Apart from these standards, the PCI DSS also allows companies to implement relevant password requirements specified by the National Institute of Standards and Technology Special Publication (NIST) 800-63B.

Simplify PCI DSS compliance with ADSelfService Plus

ADSelfService Plus offers advanced password policy and MFA settings to ensure your company complies with the password requirements of the PCI DSS. You can create a custom password policy that meets all the PCI DSS requirements and enforce it for all or specific AD users based on their domain, OU, or group membership.

1. Enforce password history: Ensure password strength by enforcing password history during native password resets in the Windows Active Directory Users and Computers (ADUC) console.
2. Set a custom password length: Enforce longer passwords for Windows domain users by specifying the minimum password length.
3. Ensure password complexity: Ensure user passwords contain uppercase, lowercase, special, and numeric characters.
4. Ban weak passwords: Blacklist leaked or weak AD passwords, patterns, and palindromes.
5. Mandate MFA for users: Secure user access to cardholder data by enabling MFA for machines, applications, VPNs, RDPs, and OWA. Choose from a range of 19 different MFA authenticators to verify users' identities.

Benefits of using ADSelfService Plus to comply with the PCI DSS mandates

• Fine-grained flexibility: Create different password policies for different types of users in the organization according to their role and level of access to sensitive data.
• Increased password security: Enforce passphrases and restrict consecutively repeated characters from passwords. Blacklist weak or compromised passwords to make users set strong passwords. Enable the password strength analyzer to give users instant visual feedback on password strength when they change or reset their passwords.
• Compliance with regulatory standards: Ensure that your organization complies not only with the PCI DSS standards, but also with NIST SP 800-63B, HIPAA, Essential Eight, CJIS, SOX, and the GDPR compliance mandates.