New MFA requirements for PCI password compliance

The Payment Card Industry Data Security Standard (PCI DSS) regulates security practices to protect cardholder data. Password compliance plays an important role in the PCI standards by dictating password complexity to strengthen defense against unauthorized access. New requirements coming into effect this January demand multi-factor authentication (MFA) for administrators, and anyone with remote access.

PCI restricted access

When it comes to accessing cardholder data, PCI requires that access only be granted to authorize personnel on a need-to-know basis. Need-to-know is defined as: “access rights are given to only the least amount of data and privileges needed to perform a job.” Each person must be assigned a unique identification so that all actions can be traced to known users.

Verify user identity

Any user with access to cardholder data must have a unique ID and a strong password for authentication. Being able to verify user identity is crucial when performing a credential-related task like resetting the password. Verifying that the user is, in fact, who they claim to be when contacting the helpdesk prevents social engineering attacks.

Administrative access and remote access require MFA

A new requirement that comes into effect on January 31, 2018 is that all individual non-console administrative access and all remote access to cardholder data require MFA. At least two factors are required from two of the three categories (something you know, something you have, something you are). See requirement 8.3 in the official PCI document for more information.

Default passwords must be changed

Computers, servers, point-of-sale terminals, routers, etc. must not use the default, factory-set passwords. Half of all point-of-sale hacks are a result of weak or default passwords, according to this report from Trustwave.

Password expiration

Whether or not passwords must expire at regular intervals is a hotly debated topic for organizations that regulate password best practice. The National Institute of Standards and Technology (NIST) says that passwords should only expire, and be forced to change, when a breach is suspected. PCI, on the other hand, requires that passwords are changed every 90 days for all personnel with access to cardholder data and all system login accounts.

Strong passwords according to PCI

The PCI password requirements for businesses include the use of strong passwords, which have a minimum length of seven characters and contain numbers and letters. Here at Specops, we believe that a strong password must meet other requirements – not appearing on a dictionary list and being longer than 15 characters. This blog, Are PCI compliant passwords good enough? challenges the PCI definition of a strong password.

For questions about PCI compliance and Specops Password Policy, contact us today.

(Last updated on October 30, 2023)


Back to Blog

Related Articles

  • PCI password security checklist

    The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards that were developed to protect card information during and following a financial transaction. The PCI  DSS applies to any merchant or service provider that handles, processes, stores or transmits credit card data. Though it is not a government driven requirement, non-compliance can…

    Read More
  • Are PCI compliant passwords good enough?

    Wide-scale attacks and hacks on large enterprises may be dominating the news headlines, but small and medium sized businesses are the real targets that are under-reported. According to a Visa analysis, small merchants accounted for more than 80 percent of data security breaches. When a breach happens, you not only get charged over $200 per…

    Read More
  • NIST password compliance guidelines – What they are and how you can meet them

    The new password guidelines from National Institute of Standards and Technology (NIST) are changing how companies and organizations view password security. The guidelines say: Do allow for longer passwords and choosing original secret questions, Don’t allow users to choose a password from a compromised list, or force password expiration without cause. These changes aim to…

    Read More