For those of you who just want the mission briefing without the epic backstory, here’s a swift, no-nonsense rundown of the PCI DSS v4.0.1 password and user account commandments. Think of it as the cheat sheet for not getting on the audit team’s bad side.
If you’re here to conquer the entire saga, a true hero’s journey, then make sure to check out our Series Overview Page for all the other exciting chapters and quick-reference guides. You can also jump directly to Part 1: The Guardians of the Gate – Unmasking PCI DSS Password Rules or Part 2: The Environment Setup – Preparing for pgtle Glory for more detailed information.
Minimum Length (PCI DSS 8.3.6): Your passwords need to be at least 12 characters long. Seriously, no shortcuts here. If you’re still rocking an 8-character password, it’s time for an upgrade!
Complexity (PCI DSS 8.3.6): Passwords must be a glorious mashup: include special characters, uppercase letters, lowercase letters, AND numbers. Don’t be lazy; make it a challenge to guess!
Re-use (PCI DSS 8.3.7): You cannot, under any circumstances, use a password that is one of your previous four passwords. No recycling, folks! Keep it fresh.
Change Frequency (Conditional) (PCI DSS 8.3.9):
If passwords are your ONLY authentication factor (no MFA), you must change them every 90 days.
If you’re using Multi-Factor Authentication (MFA), you can switch to a risk-based approach for password changes. (But you still need a plan!)
Inactive User Accounts (PCI DSS 8.2.6): Any user account that hasn’t been active for 90 days must be removed or disabled. Don’t leave those digital doors open for lurking shadows!
Account Lockout (PCI DSS 8.3.4): After a maximum of 10 unsuccessful login attempts, the account must be locked out for at least 30 minutes, or until identity is verified. No brute-force parties allowed!
Vendor Defaults (PCI DSS 2.2.2): Change, disable, or remove all vendor-supplied default passwords immediately. Leaving “admin” as the password is like inviting trouble to tea.
Mandate a Password Change After First Login (PCI DSS 8.3.5): If passwords are your sole authentication factor, users must change their password after their initial login. It’s their first, essential quest!
Application and System Accounts (PCI DSS 8.6.3): Passwords for application and system accounts must be protected against misuse. Best practices suggest:
Length: At least 15 characters.
Complexity: Alphanumeric, upper- and lower-case letters, and special characters.
Changes: Periodically (at least once a year is a best practice), and upon suspicion of compromise.
Multi-Factor Authentication (MFA) for CDE Access (PCI DSS 8.4.2): This is a critical addition in v4.0.1. MFA is required for:
All non-console access to the Cardholder Data Environment (CDE) for personnel.
All access to the CDE for administrators. This goes beyond just password changes; it’s about adding an extra layer of verification (like a one-time code or biometric scan) to ensure only authorized individuals access sensitive systems.
There you have it! The core requirements, straight from the digital horse’s mouth. Now you’re armed with the essentials to keep those auditors (and villains) at bay.
