New MFA requirements for PCI password compliance

(Last updated on September 15, 2020)

The Payment Card Industry Data Security Standard (PCI DSS) regulates security practices to protect cardholder data. Password compliance plays an important role in the PCI standards by dictating password complexity to strengthen defense against unauthorized access. New requirements coming into effect this January demand multi-factor authentication (MFA) for administrators, and anyone with remote access.

PCI restricted access

When it comes to accessing cardholder data, PCI requires that access only be granted to authorize personnel on a need-to-know basis. Need-to-know is defined as: “access rights are given to only the least amount of data and privileges needed to perform a job.” Each person must be assigned a unique identification so that all actions can be traced to known users.

Verify user identity

Any user with access to cardholder data must have a unique ID and a strong password for authentication. Being able to verify user identity is crucial when performing a credential-related task like resetting the password. Verifying that the user is, in fact, who they claim to be when contacting the helpdesk prevents social engineering attacks.

Administrative access and remote access require MFA

A new requirement that comes into effect on January 31, 2018 is that all individual non-console administrative access and all remote access to cardholder data require MFA. At least two factors are required from two of the three categories (something you know, something you have, something you are). See requirement 8.3 in the official PCI document for more information.

Default passwords must be changed

Computers, servers, point-of-sale terminals, routers, etc. must not use the default, factory-set passwords. Half of all point-of-sale hacks are a result of weak or default passwords, according to this report from Trustwave.

Password expiration

Whether or not passwords must expire at regular intervals is a hotly debated topic for organizations that regulate password best practice. The National Institute of Standards and Technology (NIST) says that passwords should only expire, and be forced to change, when a breach is suspected. PCI, on the other hand, requires that passwords are changed every 90 days for all personnel with access to cardholder data and all system login accounts.

Strong passwords according to PCI

The PCI password requirements for businesses include the use of strong passwords, which have a minimum length of seven characters and contain numbers and letters. Here at Specops, we believe that a strong password must meet other requirements – not appearing on a dictionary list and being longer than 15 characters. This blog, Are PCI compliant passwords good enough? challenges the PCI definition of a strong password.

For questions about PCI compliance and Specops Password Policy, contact us today.


Back to Blog