PCI DSS password policy requirements
What is the PCI DSS?
At the end of 2004, five major credit card companies—namely American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.—joined together to create the Payment Card Industry Data Security Standard (PCI DSS) in an attempt to curb data fraud in the finance sector. Any organization that wants to process, store, or transmit credit card data must ensure that they comply with the mandated PCI DSS password policy requirements.
What are the PCI DSS password requirements?
To be PCI DSS compliant, organizations must enforce the password policy requirements mentioned in section 8 of the PCI DSS regulations. This section dealing with identity and access management has undergone considerable changes in 2022 based on the NIST 800-63B password guidelines. The following are the latest password policy requirements that the PCI DSS states:
- A password must have a minimum of 12 characters.
- Passwords must be alphanumeric in nature and be stored or transmitted with encryption.
- Passwords must be changed every 90 days and must not be a repetition of the previous four passwords.
- In scenarios where a password is generated for the user because the user is new or sometimes during a password reset, the generated password must be unique for every user and it must be changed after the first use.
- The allowed number of failed logon attempts must be limited to 10. If a user gets locked out of their account, their account should remain locked for 30 minutes or until a system administrator resets their account.
- The default vendor-supplied passwords or passphrases are not allowed and must be changed.
- Users must be authenticated with stringent MFA techniques.
- MFA is a requirement for non console access to the cardholder data environment (CDE) for administrators accessing all network and system components of CDE.
- For remote access, MFA can be used for either system/application or network level. While this has been specified as a best practice till 2025, it will be an audit requirement afterwards.
These PCI DSS password requirements address password complexity and strength only on a basic level so that they can accommodate the variation in technology between companies. Apart from these standards, the PCI DSS also allows companies to implement relevant password requirements specified by the National Institute of Standards and Technology Special Publication (NIST) 800-63B.
Simplify PCI DSS compliance with ADSelfService Plus
ADSelfService Plus offers advanced password policy settings to ensure your company complies with the password requirements of the PCI DSS. You can create a custom password policy that meets all the PCI DSS requirements and enforce it for all or specific AD users based on their domain, OU, or group membership.
- Enforce password history: Ensure password strength by enforcing password history during native password resets in the Windows Active Directory Users and Computers (ADUC) console.
- Set a custom password length: Enforce longer passwords for Windows domain users by specifying the minimum password length.
- Ensure password complexity: Ensure user passwords contain uppercase, lowercase, special, and numeric characters.
- Ban weak passwords: Blacklist leaked or weak AD passwords, patterns, and palindromes.
- Mandate MFA for users: Secure user access to cardholder data by enabling MFA for machines, applications, VPNs, RDPs, and OWA. Choose from a range of 19 different MFA authenticators to verify users' identities.
Benefits of using ADSelfService Plus to comply with the PCI DSS mandates
- Fine-grained flexibility: Create different password policies for different types of users in the organization according to their role and level of access to sensitive data.
- Increased password security: Enforce passphrases and restrict consecutively repeated characters from passwords. Blacklist weak or compromised passwords to make users set strong passwords. Enable the password strength analyzer to give users instant visual feedback on password strength when they change or reset their passwords.
- Compliance with regulatory standards: Ensure that your organization complies not only with the PCI DSS standards, but also with NIST SP 800-63B, HIPAA, Essential Eight, CJIS, SOX, and the GDPR compliance mandates.
Utilize advanced password policy settings and ban common words and patterns.
Your download is in progress and it will be completed in just a few seconds!
If you face any issues, download manually here
Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console.
Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus!
Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.
Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more.
Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.
Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.