PCI Requirement 8: Combatting Weak Passwords and Usernames

PCI requirement 8

What do you need to do to be compliant with Requirement 8? 

Jen Stone, CISSP, QSA
By: Jen Stone
When was the last time you changed your password on your computer? A few months? A few years?

You’re not alone. For many people, and businesses, not changing and sharing passwords is a fairly common practice.

But to be compliant with PCI Requirement 8 and secure your businesses’ data, you need to have proper password and username management.

Here are a few things you should do.

Use unique usernames and passwords

PCI requirement 8
It’s important to use different passwords for different services. This way, if one service is
compromised, your credentials can’t be used to access information from other services.

From a business perspective, merchants must implement unique usernames. When people share usernames, they also share passwords, which means the credentials are no longer secret, making shared accounts much more vulnerable to social engineering attacks. On top of this, businesses can’t identify exactly who performed a specific action in their systems when a pool of people share a single set of credentials.

Set lockout rules

PCI requires accounts to be locked after six consecutive failed login attempts. Accounts must stay locked for thirty minutes, or until a system administrator resets the account. This helps prevent several kinds of brute-force attacks.  If an attacker only has six chances to guess the correct password, their attempts will likely fail. Once locked out, they will move on to an easier target.

SEE ALSO: 5 Tips to Boost Your Business’s Physical Security

Use complex passwords

If a password isn’t sufficiently complex, it’s much easier for an attacker to gain access to an environment. An attacker may try a brute-force attack against a system by entering multiple passwords (via an automated tool entering thousands of passwords within a matter of seconds) until one works.

The PCI standard requires you to change passwords at least once every 90 days, and have at least 7 characters, including an upper- and lower-case letter. Other standards recommend requiring longer passwords and adding numbers and special characters. Passwords that fall short of these criteria can easily be broken using a password-cracking tool.

In practice, the longer the password and more character formats, the more difficult it will be for an attacker to crack a password.

SEE ALSO: How to Do Passwords Right: Password Management Best Practices

Create passphrases

Short passwords are easy to crack, even when they include numbers and special characters, so security professionals recommend much longer passwords than many people are in the habit of using. This means turning to phrases, instead of words.

You should use phrases to help you remember what your password is. For example the phrase, “I like eating 3 oranges in the morning while sun tanning” can be turned into “Ile3oItMwST!”
Your passwords should never contain words found in the dictionary.

Implement multi-factor authentication

requirement 8
System security should not be based solely on the complexity of a single password. No password should be considered uncrackable. That’s why implementing multi-factor authentication is an important part of securing remote access, and it’s a requirement under PCI DSS.

Configuring multi-factor authentication requires at least two of the following three factors:
  • Something only you know (e.g., a username and password, PIN) 

  • Something only you have (e.g., hardware token, smartcard) 

  • Something only you are (e.g., fingerprint, ocular scan) 

Examples of effective multi-factor authentication for remote access include: 

  • The remote user enters their username and password, and then must enter a one-time password (OTP) sent to them on their smartphone. 

  • The remote user enters their username and password, and then must use a unique dynamic number found on an RSA SecureID token. 

SEE ALSO: New Multi-Factor Authentication Clarification and Supplement: The Principles You Should Know

Your authentication mechanisms should be independent of each other (e.g., physical separation). This is so access to one factor does not grant access to another. Reason being: if one factor is compromised, it does not affect the integrity and/or confidentiality of any other factor. 

Need help getting PCI compliant? Talk to us! 

Jen Stone (MSCIS, CISSP, QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT. 

SAQ C: Securing Your Payment Application

See what’s required for this SAQ. 

By: Jen Stone
Security Analyst
Self-Assessment Questionnaire (SAQ) C addresses requirements for merchants whose payment application systems are connected to the Internet.

SAQC merchants process cardholder data via point-of-sale (POS) systems or other payment application systems connected to the Internet. They don’t store cardholder data on any computer system, and they can be either card-present or card-not-present merchants.
Here’s a quick look into what you should know about SAQ C.

Who qualifies for SAQ C?

You should fill out this SAQ if the following qualifiers apply to you:
  • Your business has a payment application system and an Internet connection on the same device and/or same local area network (LAN)
  • The payment application system isn’t connected to any other systems within your environment
  • The POS environment isn’t connected to other locations, and any LAN is for a single location only
  • Any cardholder data your business retains is on paper (for example, printed reports or receipts), and these documents are not received electronically
  • Your company does not store cardholder data in electronic format
Note: SAQ C doesn’t apply to e-commerce merchants.

What’s the difference between SAQ C and SAQ C-VT?

SAQ C-VT applies to merchants who process payments via virtual payment terminals, while SAQ C deals with isolated payment application systems that are connected to the Internet and don’t store electronic cardholder data.

SEE ALSO: SAQ C-VT: The Basics You Should Know

What requirements does this SAQ cover?

SAQ C touches on all the requirements, but some requirements call for more attention than others.
  • Requirement 1: Install and maintain a firewall configuration to protect data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks
  • Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
  • Requirement 6: Develop and maintain secure systems and applications
  • Requirement 7: Restrict access to cardholder data by business need to know
  • Requirement 8: Identify and authenticate access to system components
  • Requirement 9: Restrict physical access to cardholder data
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes
  • Requirement 12: Maintain a policy that addresses information security for all personnel

What questions will I answer?

SAQ C has a total of 160 questions. Here are some sample questions you may be required to answer.
  • Is inbound and outbound traffic restricted to what’s necessary for the cardholder data environment?
  • Are vendor-supplied default credentials always changed before installing a system on the network?
  • Is sensitive authentication data deleted or made unrecoverable after the authorization process?
  • Are only trusted keys and/or certificates accepted?
  • Is anti-virus software deployed on all systems commonly affected by malicious software?
  • Are critical security patches installed within one month of release?
  • Are individuals assigned access based on their job classification and function?
  • Are all users assigned a unique ID before allowing them to access system components or cardholder data?
  • Are user passwords/passphrases changed at least once every 90 days?
  • Is all media destroyed when it is no longer needed for business or legal reasons?
  • Are audit logs retained for at least one year?
  • Are quarterly internal vulnerability scans performed?
  • Is a list of service providers maintained, including a description of the service(s) provided?

Additional tips

Here are a few other things to consider when filling out SAQ C:
  • Document everything: Make sure you’re documenting all policies and procedures. It helps you keep everything organized and protects you from liability
  • Segment your networks: Keeping your card data environment separate from the rest of your business can help reduce your PCI scope
  • Talk to a Qualified Security Assessor: If you’re not familiar with PCI, it’s a good idea to talk to someone who is. PCI experts can help you find areas where you’re lacking in security
Need help getting PCI compliant? Talk to us!

Jen Stone (MSCIS, CISSP, QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT. 

Complying with the GDPR: What You Should Know

Here are some answered questions about GDPR compliance. 

By: Ian Eyles
Director of European Business
The General Data Protection Regulation (GDPR) will come into effect next year, replacing the Data Protective Directive. This new regulation is meant to help unite privacy laws across Europe and will impose new requirements on organisations handling personal data.

Organisations that collect and use personal information from citizens in the EU will need to comply with the GDPR, regardless of where they are located.
Here are a few answered questions about the GDPR.

When does the GDPR come into effect? 

The GDPR was approved and adopted in April 2016. Organisations in the EU will have to comply with EU GDPR by May, 2018. 

What are the penalties for non-compliance? 

Organisations can be fined up to 4% of annual global turnover or €20 million. There is a tiered approach to fines. For example, a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting an impact assessment.

Who does the GDPR affect?

The GDPR applies to organisations located within the EU and also to organisations located outside of the EU if they handle the personal data of those within the EU. Basically, if you process personal data of anyone who resides in the EU, you must comply with the GDPR.

What changes are the GDPR bringing?

There are several changes the GDPR has introduced to help organisations and individuals better protect private data. Here are 12 key changes you should know about:
  • Breach notification: Data controllers must report personal data breaches no later than 72 hours after they are aware of the breach
  • Consent: consent must be obtained from individuals for processing personal data. 
  • Data Protection Officers (DPO): appointing DPOs will be mandatory for companies that process high volumes of personal data
  • Data subject access requests (DSAR): The time limit to comply with DSAR has been reduced from 40 days to one month. 
  • Privacy by design: products, systems, and processes must consider privacy-by-design concepts during development
  • Privacy Impact Assessments (PIA): PIAs must be carried out in certain situations.
  • Privacy notices: privacy notices must be more transparent, using clear and plain language, and easily accessible. 
  • Profiling: an individual has the right to not be subject to profiling, and profiling for marketing purposes will always require explicit consent. 
  • Record keeping: each Data Controller must keep a record of processing activities. 
  • Right to portability: users may request a copy of personal data in a portable format
  • Right to erasure: data subjects have the right to request for their data to be deleted. 
  • Right to object: individuals should be advised that they have the right to opt out of direct marketing. 

How does the GDPR relate to PCI DSS? 

The biggest difference between the two regulations is PCI DSS focuses on protecting card data, while the GDPR focuses on protecting personal data.

While the PCI DSS may not directly relate to the GDPR, it can help with GDPR obligation to implement technical measures to protect against data breaches.

SEE ALSO: The Importance of the PCI DSS: Why You Should Get Compliant

Keep in mind that the purpose of the GDPR is to help organisations protect individual’s sensitive data. It’s more about ensuring that organisations improve their own data security.

Need help with data security? Talk with one of our consultants!

Ian Eyles is the Director of European Business for SecurityMetrics, managing key acquirer relationships predominantly in the level 4 arena. He has worked in the PCI sector for thirteen years.

Petya Ransomware Outbreak: What to Know


Understand more about this new ransomware and what you should do. 

By: Steve Snelgrove
Security Analyst
A new ransomware is taking the world by storm. This ransomware is a new variant of the Petya ransomware, and is much more sophisticated than its predecessor.

This ransomware has a few improvements on the WannaCry ransomware, mainly that it has new capabilities that allow it to infect even up-to-date Windows systems running the latest security updates and latest software patches.

SEE ALSO: WannaCrypt Ransomware Attacks: What You Should Do

Here are a few things you should know about the Petya ransomware outbreak.

How does Petya work? 

Petya infects computers and waits for about an hour before rebooting the machine. Once the reboot is complete, it will encrypt the entire hard disk, and all system files, including the Master Boot Record. It then demands a $300 payment in bitcoin.

Once on a machine, Petya collects login credentials stored on a computer to gain access to other systems. It then uses PSExec, a Microsoft remote access tool, which allows the user to remotely access an application. The malware then tries to infect other machines through this tool.

Where has it spread? 

Since Tuesday, June 27, Petya has infected over 12,500 machines in 65 countries. It first struck in Ukraine and has spread across Europe, Asia, and North America.

How does Petya spread? 

Petya originally appeared in the Ukraine. Organizations in Ukraine were infected after downloading a malicious update for the accounting and invoice software MeDoc. Multiple security firms have also seen the malware spread through phishing emails with malicious attachments pretending to be resumes or delivery notices.

Like WannaCry, Petya uses an “EternalBlue” software exploit for Windows, an exploit developed by the US National Security Agency that was subsequently stolen and leaked by the Shadow Brokers. Unlike WannaCry, Petya does not rely on computers vulnerable to EternalBlue to spread.

What makes this ransomware dangerous is that it not only uses exploits, but also legitimate tools to spread. This type of method can be very difficult to detect since it uses legitimate credentials to access other systems.

Fortunately, unlike WannaCry, this version of Petya does spread internally, but doesn’t seed itself externally, which slows the rate of new infections.

What are the hackers’ motivations?

Petya ransomwareWhat’s concerning is that unlike other ransomware, Petya seems to be more damaging to the computers it encrypts. Researchers suspect that financial gain was not its creator’s goal, and widespread damage seems more likely. The malware’s developers didn’t design a robust system to pay the ransom, and the techniques used to encrypt the systems are far more damaging.

Petya was likely engineered to infect and damage a mass number of systems. It could also mean that Petya is simply a distraction while the attackers are working on something else.

Security experts recommend that organizations infected do not pay the ransom, as it is unlikely they will see their files decrypted.

What should organizations do? 

Many anti-virus companies claim now that their software has updates to actively deflect and protect against Petya infections.

One thing to do is to make sure your Windows systems are updated to include the patch for the EternalBlue exploit. Doing so removes at least one avenue the Petya ransomware can use.

If your computer is infected, switch the computer off while its rebooting to prevent the files from being encrypted. You can then try to rescue the files from the machine. If your files are encrypted, disconnect your computer from the internet to prevent the malware from spreading.

For some preventative measures, back up your files regularly and keep your anti-virus software up to date.

Need help with data security? Talk to one of our consultants! 

Steven Snelgrove (CISSP) has been a Security Analyst at SecurityMetrics for over 7 years. Since 1980, Snelgrove has worked in the computer and telecommunications industry, and has familiarity with programming, software engineering, and network security. His current responsibilities includes the manual assessment of web applications and corporate networks, conducting ethical hacking to analyze security architecture, and consulting with organizations to help remediate issues. Snelgrove received a degree in Computer Science from Brigham Young University, and holds a CISSP (Certified Information Systems Security Professional) certification.

How Much Does PCI Compliance Cost?

Learn elements of reaching PCI compliance and realistic PCI security budgets.

Gary Glover, Director of SecurityMetrics Assessments
By: Gary Glover
VP of Assessments
Note: This post was originally published on August 19, 2015 and has been updated. 

Being PCI compliant involves more than just filling out a PCI SAQ or completing a vulnerability scan. A lot of work and resources go into changing business procedures to ensure the protection of customer credit card data, and eventual PCI compliance.

Many businesses are confused about the budget they should set for PCI compliance. Often, they budget too little. Small budgets make it difficult for IT departments and third parties to upgrade equipment to the latest security standards to ensure the business protects data security.
So how much does PCI compliance actually cost?
The answer partially depends on how many transactions you process each year. Your business falls
into one of two groups:

    PCI compliance cost
  • Business that process over 6 million Visa or MasterCard transactions per year (or, businesses that feel they need an onsite audit): Businesses processing over 6 million Visa transactions annually (also known as Level 1 merchants) must have an onsite data security audit by a QSA (Qualified Security Assessor). Even if you aren’t a Level 1 merchant, but are still a large merchant (for example, processing 1 million transactions per year or above) it’s also highly recommended you receive an audit. Many Level 2 (1 million to 6 million transactions) and Level 3 (20,000 – 1 million eCommerce transactions) elect to get audits because they’re just too big to efficiently become PCI compliant by themselves.
  • Business that process less than 6 million Visa or MasterCard transactions per year: These businesses don’t handle as much card data as Level 1 merchants, but remember: they’re still required to be compliant. Requirements for compliance will at least include completing a Self-Assessment Questionnaire, but may also require vulnerability scanning, penetration testing, or security training. Your acquiring bank may pay for these services as part of their PCI compliance program or they may leave you to take care of it. Either way, it’s up to you to decide if you want a PCI DSS audit, but if you process less than 20,000 Visa or MasterCard transactions per year, it probably doesn’t make sense to get an onsite audit.

Variables that affect PCI DSS compliance cost

The cost of PCI compliance depends on your organization setup. Here are a few variables that will affect the overall cost of PCI compliance.

  • Your business type: Are you a franchise, service provider, or mom and pop shop? Each will have varying amounts of cardholder data, environment structure, and varying risk levels, which means different requirements.
  • Your organization size: Typically, the larger the organization, the more potential compliance gaps it has. More staff members, more programs, more processes, more computers, more cardholder data, and more departments means more cost.
  • Your organization’s security culture: If data security is one of upper management’s top priorities, increasing security costs probably isn’t a major internal struggle. In other cases, management is very hesitant to dish out budget to data security, because they don’t understand their organization’s security liabilities.
  • Your organization’s environment: The design of your network (LAN/WAN), networking technologies used, number and types of systems used, type of mobile devices, etc. can all affect PCI cost.
  • Your organization’s dedicated PCI staff: Even with a dedicated team, organizations usually require outside assistance or consulting to help them better understand and meet PCI requirements.
  • Your acquirer pre-pays: Some acquiring banks consult with a PCI DSS vendor and pay for their merchant’s PCI compliance. However, this is quite rare.
Now that we know the factors that could affect the cost of PCI, how much does it actually cost?
PCI DSS cost

If you’re a small business, PCI DSS compliance should cost from $300 per year (depending on your environment).

  • Self-Assessment Questionnaire ~$50 - $200
  • Vulnerability scanning ~ $100 - $200 per IP address
  • Training and policy development ~ $70 per employee
  • Remediation (software and hardware updates, etc.) ~ Varies greatly based on where entity is today in relation to compliance and security, but estimated: ~ $100 - $10,000

If you are large enterprise and need a PCI DSS audit, expect to pay from $70,000 per audit (depending on your environment).

  • Onsite audit ~ $40,000+
  • Vulnerability scans ~ $800+
  • Penetration testing ~ $5,000+
  • Training and policy development ~ $5,000+
  • Remediation (software and hardware updates, etc.) ~ Varies greatly based on where entity is today in relation to compliance and security, but estimated: ~ $10,000- $500,000
SEE ALSO: How Much Does a Data Breach Cost Your Organization?


Securing cardholder data is a challenge facing all businesses that process credit cards. Know that following the PCI DSS is a great place to start. Ignoring the PCI DSS, or going after it half-heartedly is a recipe for disaster.

PCI DSS is the best way to start your data security, and ultimately cheaper than exposing your brand to a data breach.

SEE ALSO: 5 Simple Ways to Get PCI Compliant

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.