PCI compliance requirements in the UK

In 2018, criminals successfully stole £1.4 billion through fraud and scams. Now more than ever, businesses that processes cardholder data look to the Payment Card Industry Data Security Standard (PCI DSS) for security recommendations. PCI DSS is a set of security standards introduced to the UK in 2006. PCI compliance is required for any business that accepts, stores, transmits, or processes cardholder data.

Payment fraud is a major threat with costly consequences. According to the Fraud the Facts 2019 report from UK Finance, unauthorised financial fraud losses across payment cards, remote banking, and cheques totalled £844.8 million in 2018. Additionally, UK Finance members reported 84,624 incidents of authorised push payment scams with gross losses of £354.3 million. The same report claims that social engineering and data breaches were a major contributor to the losses.

PCI password requirements

The PCI Security Standards Council has published this infographic to help organisations defend against phishing and social engineering attacks. Compromised credentials allow hackers to gain remote access to a network. PCI requires strong passwords for all users with access to payment card numbers, and multi-factor authentication for administrators, and anyone with remote access . The recommendation is to educate users on choosing strong passwords, and force frequent password changes. Version 3.2.1 of the PCI Requirements and Security Assessment Procedures (requirement 8.4) reads:

Document and communicate authentication policies and procedures to all users including:

• Guidance on selecting strong authentication credentials

• Guidance for how users should protect their authentication credentials

• Instructions not to reuse previously used passwords

• Instructions to change passwords if there is any suspicion the password could be compromised.

This advice differs from that of the National Cyber Security Centre (NCSC) that wants to reduce the burden on end-users. The NCSC says your authentication system should help you identify and stop the use of compromised passwords.  

PCI fines and penalties

The PCI password requirements alone might not be enough to secure authentication. An analysis of 5000 PCI-compliant passwords revealed 3 out of 4 contained dictionary words. This means that even with PCI compliance, organisations may still be vulnerable to password attacks.

In the event of a data breach, PCI will require your organisation to cover the cost of a forensic investigation. A PCI Level 1 investigation can cost upwards of £100,000. You will also have to consider fines from banks, and even GDPR fines if the data of EU residents is compromised. 

Is it time to re-evaluate your PCI passwords? User-generated passwords have their limitations but you can minimise your exposure by blocking compromised passwords. A password list should contain all of the passwords that a hacker will use to gain access to a system. A third-party password tool can simplify the process of managing the list of leaked passwords. The Specops password list is influenced by major breach incidents, and updated in response to new threats.

Get started with a free password audit

Download Specops Password Auditor (FREE) to run a security scan and identify breached passwords in your environment. Specops Password Auditor generates interactive reports containing user and password policy information, including:

  • Overview of dormant user accounts
  • Passwords approaching expiration
  • List of expired, identical, blank, and breached passwords

Contact our password security specialists in the UK:

Submit your question

Call us: +44 (0)203 002 1877

(Last updated on October 5, 2023)

Tags: ,

darren james

Written by

Darren James

Darren James is a Senior Product Manager at Specops Software, an Outpost24 company. Darren is a seasoned cybersecurity professional with more than 20 years of experience in the IT industry. He has worked as a consultant across various organizations and sectors, including central and local governments, retail and energy. His areas of specialization include identity and access management, Active Directory, and Azure AD. Darren has been with Specops Software for more than 12 years and brings his expertise to the support and development of world-class password security and authentication solutions. 

Back to Blog

Related Articles

  • PCI password security checklist

    The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards that were developed to protect card information during and following a financial transaction. The PCI  DSS applies to any merchant or service provider that handles, processes, stores or transmits credit card data. Though it is not a government driven requirement, non-compliance can…

    Read More
  • New MFA requirements for PCI password compliance

    The Payment Card Industry Data Security Standard (PCI DSS) regulates security practices to protect cardholder data. Password compliance plays an important role in the PCI standards by dictating password complexity to strengthen defense against unauthorized access. New requirements coming into effect this January demand multi-factor authentication (MFA) for administrators, and anyone with remote access. PCI…

    Read More
  • Are PCI compliant passwords good enough?

    Wide-scale attacks and hacks on large enterprises may be dominating the news headlines, but small and medium sized businesses are the real targets that are under-reported. According to a Visa analysis, small merchants accounted for more than 80 percent of data security breaches. When a breach happens, you not only get charged over $200 per…

    Read More