PCI requirement 8

What do you need to do to be compliant with Requirement 8? 

Jen Stone, CISSP, QSA
By: Jen Stone
When was the last time you changed your password on your computer? A few months? A few years?

You’re not alone. For many people, and businesses, not changing and sharing passwords is a fairly common practice.

But to be compliant with PCI Requirement 8 and secure your businesses’ data, you need to have proper password and username management.

Here are a few things you should do.

Use unique usernames and passwords

PCI requirement 8
It’s important to use different passwords for different services. This way, if one service is
compromised, your credentials can’t be used to access information from other services.

From a business perspective, merchants must implement unique usernames. When people share usernames, they also share passwords, which means the credentials are no longer secret, making shared accounts much more vulnerable to social engineering attacks. On top of this, businesses can’t identify exactly who performed a specific action in their systems when a pool of people share a single set of credentials.

Set lockout rules

PCI requires accounts to be locked after six consecutive failed login attempts. Accounts must stay locked for thirty minutes, or until a system administrator resets the account. This helps prevent several kinds of brute-force attacks.  If an attacker only has six chances to guess the correct password, their attempts will likely fail. Once locked out, they will move on to an easier target.

SEE ALSO: 5 Tips to Boost Your Business’s Physical Security

Use complex passwords

If a password isn’t sufficiently complex, it’s much easier for an attacker to gain access to an environment. An attacker may try a brute-force attack against a system by entering multiple passwords (via an automated tool entering thousands of passwords within a matter of seconds) until one works.

The PCI standard requires you to change passwords at least once every 90 days, and have at least 7 characters, including an upper- and lower-case letter. Other standards recommend requiring longer passwords and adding numbers and special characters. Passwords that fall short of these criteria can easily be broken using a password-cracking tool.

In practice, the longer the password and more character formats, the more difficult it will be for an attacker to crack a password.

SEE ALSO: How to Do Passwords Right: Password Management Best Practices

Create passphrases

Short passwords are easy to crack, even when they include numbers and special characters, so security professionals recommend much longer passwords than many people are in the habit of using. This means turning to phrases, instead of words.

You should use phrases to help you remember what your password is. For example the phrase, “I like eating 3 oranges in the morning while sun tanning” can be turned into “Ile3oItMwST!”
Your passwords should never contain words found in the dictionary.

Implement multi-factor authentication

requirement 8
System security should not be based solely on the complexity of a single password. No password should be considered uncrackable. That’s why implementing multi-factor authentication is an important part of securing remote access, and it’s a requirement under PCI DSS.

Configuring multi-factor authentication requires at least two of the following three factors:
  • Something only you know (e.g., a username and password, PIN) 

  • Something only you have (e.g., hardware token, smartcard) 

  • Something only you are (e.g., fingerprint, ocular scan) 

Examples of effective multi-factor authentication for remote access include: 

  • The remote user enters their username and password, and then must enter a one-time password (OTP) sent to them on their smartphone. 

  • The remote user enters their username and password, and then must use a unique dynamic number found on an RSA SecureID token. 

SEE ALSO: New Multi-Factor Authentication Clarification and Supplement: The Principles You Should Know

Your authentication mechanisms should be independent of each other (e.g., physical separation). This is so access to one factor does not grant access to another. Reason being: if one factor is compromised, it does not affect the integrity and/or confidentiality of any other factor. 

Need help getting PCI compliant? Talk to us! 

Jen Stone (MSCIS, CISSP, QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.