This website uses cookies to ensure you get the best experience on our website. Learn more
How to build a PCI-compliant password policy
The Payment Card Industry Data Security Standard (PCI DSS) is a set of guidelines designed to protect cardholder data and ensure that organizations handling payment card information maintain a secure environment. Among its many requirements, PCI DSS places significant emphasis on robust password policies to prevent unauthorized access and mitigate the risk of data breaches.
PCI DSS v4.0.1 is the latest set of requirements and it mandates several key aspects of password management, including complexity, frequency of changes, password history, lockout mechanisms, secure storage, and user education. These requirements are designed to create a multi-layered defense against cyber threats. By meeting the standards, organizations can enhance their security posture and build trust with customers and partners.
If you’re looking for a more general overview of PCI-DSS v4.0.1, head here first. This post will walk through the password requirements you need to know, how best to comply, and offer a PCI-compliance checklist you can follow.
What are the PCI-DSS v4.0 password requirements?
In the 2023 update to the PCI DSS (version 4.0.1), there were some specific changes and enhancements related to password management and security. These changes were aimed at improving the overall security of password management practices and reducing the risk of password-related vulnerabilities in the cardholder data environment (CDE).
Here are the key points:
- Stronger password requirements: The update emphasizes the need for stronger, more complex passwords. This includes:
- Minimum length: Passwords must be at least 12 characters long.
- Character complexity: Passwords should include a mix of uppercase and lowercase letters, numbers, and special characters.
- Unique passwords: Passwords must be unique and not reused across different systems or accounts.
- Password expiration: The requirement for password expiration has been relaxed. Instead of mandating regular password changes, the focus is on changing passwords only when there is a known or suspected compromise. This is to prevent users from creating weak, predictable passwords due to frequent change requirements.
- Password storage: Enhanced requirements for how passwords are stored.
- Encryption: Passwords must be stored using strong encryption methods.
- Hashing: Use of strong hashing algorithms to protect stored passwords.
- Password transmission: Passwords must be transmitted securely.
- Encryption: Use of strong encryption for transmitting passwords over networks.
- Secure protocols: Ensuring that secure protocols (e.g., HTTPS, SSH) are used for password transmission.
- Password management systems: The update requires the use of secure password management systems, which should include features such as MFA and auditing.
- Multi-factor authentication (MFA): MFA is now required for all administrative access to password management systems.
- Audit logs: Maintaining detailed audit logs of password management activities to ensure accountability and traceability.
- User education: There is a greater emphasis on educating users about password security.
- Training programs: Implementing training programs to educate employees on the importance of strong passwords and secure password practices.
- Awareness campaigns: Conducting regular awareness campaigns to remind users of password security best practices.
- Automated password management: Encouraging the use of automated tools for password management.
- Password managers: Recommending the use of password managers to help users generate and store complex passwords.
- Automated enforcement: Using automated systems to enforce password policies and detect weak or compromised passwords.
What do the regulations say about MFA?
The PCI DSS regulations strongly recommend Multi-Factor Authentication (MFA) for all administrative access to systems that store or process cardholder data. While MFA is not a mandatory requirement for all users, it’s crucial for administrative accounts to add an extra layer of security beyond just passwords.
Are these regulations up to date for 2025?
The PCI-DSS (Payment Card Industry Data Security Standard) regulations were last updated in March 2023 with the release of PCI DSS v4.0. This version introduced several new requirements and changes to enhance security and address evolving threats. Organizations will be required to be fully compliant by March 31st, 2025.
Checklist for building a PCI-compliant password policy
To build a PCI-DSS compliant password policy, follow these logical steps:
- Define complexity requirements: Ensure passwords are at least 12 characters long for new passwords and 15 characters for those changed due to a compromise. Require a mix of uppercase and lowercase letters, numbers, and special characters.
- Set change frequency: Mandate password changes every 90 days. Consider a risk-based approach to extend this interval if the risk of compromise is low.
- Implement password history: Store and check the history of at least the last four passwords to prevent reuse.
- Configure lockout mechanisms: Lock accounts after five failed login attempts for at least 30 minutes or until manually unlocked by an administrator.
- Secure password storage: Use strong encryption methods to store passwords. Never store them in plain text or in a reversible form.
- Educate users: Provide regular training on the importance of strong passwords and the risks of weak or reused passwords. Encourage the use of password managers.
- Monitor and review: Regularly audit and review the password policy to ensure it remains effective and compliant with PCI DSS standards. Adjust as needed based on new threats and best practices.
- Document the policy: Clearly document the password policy and make it accessible to all relevant employees. Ensure it is enforced consistently across the organization.
By following these steps, you can create a robust and compliant password policy that enhances your organization’s security and meets PCI DSS requirements. For more detail about building a new password policy, we’d recommend checking out this blog series:
- Strategy recommendations for password policy planning
- Setting up the key components of a password policy
- How to communicate a new password policy to end users
Where third-party tools can help
A tool such as Specops Password Policy can significantly aid organizations in achieving PCI-DSS compliance by automating and enforcing robust password management practices. It ensures that passwords meet the required complexity standards, such as minimum length, character variety, and the inclusion of uppercase and lowercase letters, numbers, and special characters.
The tool can also enforce password history, preventing users from reusing recent passwords, and implement lockout mechanisms to secure accounts after multiple failed login attempts. Additionally, Specops Password Policy supports secure storage of passwords, using strong encryption methods to protect sensitive data.
Beyond these core requirements, Specops Password Policy has a Breached Password Protection feature that continuously checks your Active Directory against a growing database of over 4 billion unique compromised passwords. It also provides detailed reporting and auditing capabilities, which are essential for demonstrating compliance during PCI DSS assessments. By automating these processes, Specops helps organizations maintain a consistent and secure password policy, reducing the risk of data breaches and ensuring ongoing compliance with PCI DSS standards.
(Last updated on December 6, 2024)
Related Articles
-
Why is password reset a security loophole?
Authentication is a process of validating the identity of a user that is trying to gain access to an application or system. While many companies have taken the steps to implement strong authentication, they don’t always require users to follow the same process to authenticate themselves when resetting passwords. We often find that the application…
Read More -
Using Group Policy to configure BitLocker
How to use Group Policy to configure BitLocker. This is useful for organizations with a compliance mandate to enable encryption for all endpoint devices.
Read More -
Guide to the PCI-DSS v4.0.1 regulations [Updated for 2025]
The PCI DSS compliance framework has been a staple in the cybersecurity realm for businesses handling credit card transactions. The Payment Card Industry Data Security Standard was developed to encourage and enhance payment card account data security. It helps define consistent security measures to bolster payment card data security, processing, and storage. PCI DSS is not a government-created…
Read More