In order to comply with PCI Requirement 8, you need to practice proper password and username management.
When it comes to your business's data security, passwords can either be a point of weakness, or serve as a barrier to hackers. And, in order to comply with PCI Requirement 8, you need to practice proper password and username management.
It’s important to use different passwords for different services. This way, if one service is
compromised, your credentials can’t be used to access information from other services.
From a business perspective, merchants must implement unique usernames. When people share usernames, they also share passwords, which means the credentials are no longer secret, making shared accounts much more vulnerable to social engineering attacks. On top of this, businesses can’t identify exactly who performed a specific action in their systems when a pool of people share a single set of credentials.
PCI requirement 8 requires accounts to be locked after six consecutive failed login attempts. Accounts must stay locked for thirty minutes, or until a system administrator resets the account. This helps prevent several kinds of brute-force attacks. If an attacker only has six chances to guess the correct password, their attempts will likely fail. Once locked out, they will move on to an easier target.
See also: 5 Tips to Boost Your Business’s Physical Security
If a password isn’t sufficiently complex, it’s much easier for an attacker to gain access to an environment. An attacker may try a brute-force attack against a system by entering multiple passwords (via an automated tool entering thousands of passwords within a matter of seconds) until one works.
The PCI standard requires your passwords have at least 7 characters, including an upper- and lower-case letter. Other standards recommend requiring longer passwords and adding numbers and special characters. Passwords that fall short of these criteria can easily be broken using a password-cracking tool.
In practice, the longer the password and more character formats, the more difficult it will be for an attacker to crack a password.
See also: How to Do Passwords Right: Password Management Best Practices
See also: SecurityMetrics PCI Guide
To beef up both personal and business data security, many have turned to using pass phrases instead of passwords. While passwords are strings of around 10 letters, numbers and symbols, (e.g., "2GetherForever1979!"), pass phrases are groups of words with spaces in between, e.g., "We Never Drove Past Albuquerque?"
A pass phrase can contain symbols, upper- and lower-case letters, and does not have to make sense grammatically. Pass phrases are generally easier to remember, but harder to crack than passwords. More about passwords and pass phrases:
System security should not be based solely on the complexity of a single password. No password should be considered uncrackable. That’s why implementing multi-factor authentication is an important part of securing remote access, and it’s a requirement under PCI DSS.
Configuring multi-factor authentication requires at least two of the following three factors:
Examples of effective multi-factor authentication for remote access include:
See also: New Multi-Factor Authentication Clarification and Supplement: The Principles You Should Know
Your authentication mechanisms should be independent of each other (e.g., physical separation). This is so access to one factor does not grant access to another. Reason being: if one factor is compromised, it does not affect the integrity and/or confidentiality of any other factor.
.svg)
