PCI Requirement 8.2.4 – Change User Passwords/Passphrases at Least Once Every 90 Days

by Randy Bartels / December 20, 2022

Password/Passphrase Expiration PCI Requirement 8.2.4 expects your organization to change user passwords/passphrases at least once every 90 days. The PCI DSS explains, “Passwords/passphrases that are valid for a long time without a change provide malicious individuals with more time to work on breaking the password/phrase.” You may think that a shorter password/passphrase expiration date would be more secure, but best practice states that 90 days is an appropriate period of…

PCI Requirement 8.2.3 – Passwords/Passphrases Must Require a Minimum of Seven Characters and Contain Both Numeric and Alphabetic Characters

by Randy Bartels / December 20, 2022

Requirements for Password/Passphrase Complexity and Strength Passwords/passphrases are your organization’s first line of defense, which is why PCI Requirement 8.2.3 states that your users’ passwords/passphrases must require a minimum of seven characters and contain both numeric and alphabetic characters. The combination of length and alphanumeric characters gives passwords/passphrases the complexity and strength to stand against attackers. The PCI DSS explains, “Malicious individuals will often first try to find accounts with…

PCI Requirement 8.2.2 – Verify User Identity Before Modifying Any Authentication Credential

by Randy Bartels / December 20, 2022

Preventing Social Engineering PCI Requirement 8.2.2 states, “Verify user identity before modifying any authentication credential.” How could this play out at your organization? Let’s imagine that you need a password reset, so you call a help desk and tell them the situation. If they unlocked your account and helped you reset the password, no questions asked, then what would stop an attacker from calling the help desk and asking the…

PCI Requirement 8.2.1 – Use Strong Cryptography to Render All Authentication Credentials Unreadable During Transmission and Storage

by Randy Bartels / December 20, 2022

Strong Cryptography in Transmission and Storage PCI Requirements 3 and 4 help your organization implement strong cryptography methods, and we see it again here in PCI Requirement 8. Using strong cryptography is essential to protecting cardholder data. An attacker can easily capture unencrypted passwords during transmission and while in storage, and use this data to gain unauthorized access to your system or to the cardholder data environment. To prohibit this…

PCI Requirement 8.2 – Ensure Proper User-Authentication Management by Something You Know, Something You Have, or Something You Are

by Randy Bartels / December 20, 2022

 Proper User-Authentication Management PCI Requirement 8.2 adds an additional layer of security to user IDs by requiring something you know, something you have, or something you are. It states, “In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users: something you know (such as a password…