What do you need to do to be compliant with Requirement 8?
|By: Jen Stone|
You’re not alone. For many people, and businesses, not changing and sharing passwords is a fairly common practice.
But to be compliant with PCI Requirement 8 and secure your businesses’ data, you need to have proper password and username management.
Here are a few things you should do.
Use unique usernames and passwords
compromised, your credentials can’t be used to access information from other services.
From a business perspective, merchants must implement unique usernames. When people share usernames, they also share passwords, which means the credentials are no longer secret, making shared accounts much more vulnerable to social engineering attacks. On top of this, businesses can’t identify exactly who performed a specific action in their systems when a pool of people share a single set of credentials.
Set lockout rulesPCI requires accounts to be locked after six consecutive failed login attempts. Accounts must stay locked for thirty minutes, or until a system administrator resets the account. This helps prevent several kinds of brute-force attacks. If an attacker only has six chances to guess the correct password, their attempts will likely fail. Once locked out, they will move on to an easier target.
SEE ALSO: 5 Tips to Boost Your Business’s Physical Security
Use complex passwordsIf a password isn’t sufficiently complex, it’s much easier for an attacker to gain access to an environment. An attacker may try a brute-force attack against a system by entering multiple passwords (via an automated tool entering thousands of passwords within a matter of seconds) until one works.
The PCI standard requires you to change passwords at least once every 90 days, and have at least 7 characters, including an upper- and lower-case letter. Other standards recommend requiring longer passwords and adding numbers and special characters. Passwords that fall short of these criteria can easily be broken using a password-cracking tool.
In practice, the longer the password and more character formats, the more difficult it will be for an attacker to crack a password.
SEE ALSO: How to Do Passwords Right: Password Management Best Practices
Create passphrasesShort passwords are easy to crack, even when they include numbers and special characters, so security professionals recommend much longer passwords than many people are in the habit of using. This means turning to phrases, instead of words.
You should use phrases to help you remember what your password is. For example the phrase, “I like eating 3 oranges in the morning while sun tanning” can be turned into “Ile3oItMwST!”
Your passwords should never contain words found in the dictionary.
Implement multi-factor authenticationmulti-factor authentication is an important part of securing remote access, and it’s a requirement under PCI DSS.
Configuring multi-factor authentication requires at least two of the following three factors:
- Something only you know (e.g., a username and password, PIN)
- Something only you have (e.g., hardware token, smartcard)
- Something only you are (e.g., fingerprint, ocular scan)
- The remote user enters their username and password, and then must enter a one-time password (OTP) sent to them on their smartphone.
- The remote user enters their username and password, and then must use a unique dynamic number found on an RSA SecureID token.
Your authentication mechanisms should be independent of each other (e.g., physical separation). This is so access to one factor does not grant access to another. Reason being: if one factor is compromised, it does not affect the integrity and/or confidentiality of any other factor.
Need help getting PCI compliant? Talk to us!
Jen Stone (MSCIS, CISSP, QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.