As we have seen, the Payment Card Industry Data Security Standard (PCI DSS) requires businesses to utilize alphanumeric passwords of seven or more characters. This is certainly a sound practice—but password security involves additional aspects that are also vital for maintaining PCI compliance. Let’s take a look at the various other password requirements set in place by the PCI DSS.
Requirement 8.2.4 of the PCI DSS calls for organizations to change system passwords every 90 days, if not sooner. An account-lockout policy is also an important component of a business’s overall data security strategy. This involves locking a particular account—that is, preventing further access attempts—after a certain number of failed login attempts. Requirement 8.1.6 requires organizations to lock accounts after no more than six failed log-ins. The account should remain locked until at least thirty minutes have passed or a system administrator reactivates it.
The account should also be set to require a user to reauthenticate their identity—i.e., re-enter the password and, if needed, ID name—after the session has been idle for 15 minutes. If appropriate, the system administrator can set the account to allow an even shorter idle period before demanding reauthentication.