PCI password security checklist
(Last updated on February 17, 2020)
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards that were developed to protect card information during and following a financial transaction. The PCI DSS applies to any merchant or service provider that handles, processes, stores or transmits credit card data. Though it is not a government driven requirement, non-compliance can result in large penalties and revocation of your rights to process credit card transactions.
The standard is extremely detailed when it comes to passwords – several mandates relate to password policy and management. The following questions will provide you with a good starting point towards improving your password security:
- Have you changed the manufacturers’ default passwords on all your computers, servers, point-of-sale (POS) terminals routers, wi-fi connections, etc.?
Default passwords are one of the most common database security weaknesses. According to Trustwave’s report, 50 percent of the time when a POS is compromised, it is a direct result of a weak or default password being used. With factory-set passwords, attackers can easily gain administrative access to individual readers to infect the device with malware to collect customer payment card data. If you are using default passwords for any of your servers or systems, change these immediately.
- Do you change passwords regularly for all employee and system logins?
PCI DSS requires passwords to be changed every 90 days. This prevents a compromised password from being exploited for an unlimited time. Many hackers who can get to credit card information will try to leave their program on a system to collect and forward card information for as long as possible.
- Do passwords include different types of characters?
PCI DSS requires passwords/phrases to not only be a minimum length of seven characters but also contain both numeric and alphabetic characters. If your organization is using Windows Default password policy with complexity turned on, you are allowing users to create passwords such as Hello123 and Welcome1 which can be cracked in seconds. As such in this case it’s better to go beyond the compliance requirement by enforcing additional complexity. Specops Password Policy allows you enforce stricter requirements than Windows complexity setting, with support for character sets (upper/lower case letters, numbers, symbols) and the ability to apply different policy settings to different users.
- Do you verify user identity before modifying any authentication credentials?
For example, when a user requests a password reset by phone or other non-face-to-face methods, do you have a secure way of verifying user identity? Many attackers pose as a legitimate user and trick the helpdesk into giving out a new password so they can take advantage of a user’s ID. If you don’t have one in place consider using a self-service password reset solution to remove this task from the helpdesk. The solution should also provide helpdesk user verification so that users have to prove their identity before the helpdesk staffer can reset or provide a password.