Let Us Guide You Through Your InfoSec & Compliance Journey.
Learn how to use the Compyl Platform.
Watch all Security Session Episodes
Real-world stories on how we help our customers.
Credit card fraud has been rising since the introduction of online shopping. To curb the problem, top credit card companies created the Payment Card Industry Data Security Standard (PCI DSS) in 2004. Since its establishment, PCI DSS has undergone multiple changes to enhance security further.
PCI password standards apply to everyone who uses or stores data with credit cards. The standard sets clear policies for reducing credit card fraud.
PCI passwords shouldn’t be simple. They should include numerous variables to make them more complex. For instance, one should mix numerals and upper- and lowercase letters when creating passwords and include symbols as well. Here is an example of PCI DSS password variation: qgfJK$143.FGbn.
Varying the characters make it hard for an intruder to guess a password. One should avoid common names of pets or favorite items for maximum security.
PCI DSS passwords should be long. Having more characters makes it harder to guess or copy the password.
The ideal password should have a minimum of 12 characters. Users should use at least eight characters for systems that don’t support 12 characters.
Initially, the password length requirement was seven characters, but newer evidence now shows it should be at least 12. If your system does not support 12 characters, you should include the maximum amount of characters it will allow.
Intruders can learn a password if it remains the same for a long period of time. The PCI standard recommends users change their passwords every 90 days. Regular updates increase security, making it hard for someone to learn the password.
The PCI DSS standards only offer ten failed login attempts. You must wait at least 30 minutes if you entered the password incorrectly. The system administrator should then reset the password once the time elapses.
A new card normally comes with a default password. According to PCI DSS password requirements, users should change the default password after the first use. Changing other authentication information, like security details, can also help create unique and hard-to-guess passwords.
PCI DSS requires MFA when logging in. Ideally, multi-factor authentication allows users to provide more details to log in. Besides the usual password, they should verify their identity in other ways. Common types of multi-factor authentication include:
The policy recommends using at least two types of multi-factor authentication.
When users change a password, they cannot use it again as per the PCI DSS standard. The system automatically rejects the old passwords. This configuration helps prevent fraud, in case a fraudulent person knows the old passwords.
Most companies use wireless systems to stay connected. Such systems can be loopholes for scammers if they lack proper security. The PCI DSS recommends encrypting all wireless systems. The passwords need regular password updates as well. Encrypting the access points prevents data packet sniffing hardware or software from capturing data, even when the network traffic is high.
In PCI DSS, the systems should automatically lock when idle. The locking happens within 15 minutes. If you leave the systems for over 15 minutes, you must re-enter the passwords. The automatic locking minimizes the risk of someone else accessing the system during the inactivity session.
Sometimes, a systems administrator may lock an account. This happens when there is suspicious activity. After the lock, the user must wait at least 30 minutes before the account becomes active. After the activation, new identity authentication is mandatory to confirm the user’s identity. Such safety locks help minimize attempts from unauthorized users.
PCI-DSS requirements are not enough to fully protect against cyber-attacks. These policies reduce the primary risks associated with the use of credit cards.
When fighting cyber risks, users should pay attention to all aspects of their systems. Here are some effective ways to prevent cyber-attacks in addition to observing the PCI-DSS password requirements:
Don’t overlook physical access even as you focus on protecting your devices with passwords. Limit the number of people accessing devices with sensitive company data or customer details.
The PCI DSS password requirements help individuals and businesses encrypt their data. The passwords reduce susceptibility to hackers and internal employees with hacking motives. Below are the top five practices that you may adoptto remain compliant with the password requirements:
Data security is a primary concern for businesses. You should protect your personal information from hackers at all times. Adopting the PCI DSS 4.0 password requirements is a good idea for staying safe. These policies ensure you set strong passwords and update them regularly. By doing so, you keep off potential hackers from your business.
Are you wondering how the PCI DSS 4.0 standards may affect your business? Do you need managed services to improve business security? If so, Compyl is here for you. We offer information security services that align with a business’s regulations and policies. Get in touch for help with business data security and compliance monitoring.
