PCI Requirement 8.2.6 – Set Passwords/Passphrases for First-Time Use and Upon Reset to a Unique Value for Each and Change Immediately After First Use

by Randy Bartels / December 20, 2022

 Unique Value for First-Time Use and Resets PCI Requirement 8.2.6 states, “Set passwords/passphrases for first-time use and upon reset to a unique value for each and change immediately after first use.” There are two elements to PCI Requirement 8.2.6 compliance. First, whenever a new account is being set up or reset, it needs to be given a unique value. Why? The PCI DSS explains, “If the same password is…

PCI Requirement 8.2.5 – New Passwords/Passphrases Can’t Be the Same as Any of the Last Four Passwords/Passphrases Used

by Randy Bartels / December 20, 2022

Effectiveness of Changing Passwords PCI Requirement 8.2.5 works in conjunction with PCI Requirement 8.2.4 to create secure passwords. Because PCI Requirement 8.2.4 requires passwords/passphrases to be changed every 90 days, PCI Requirement 8.2.5 dictates that new passwords/passphrases can’t be the same as any of the last four passwords/passphrases used. This prevents users from trying to alternate between the same few passwords or not reset their password at all by using…

PCI Requirement 8.2.4 – Change User Passwords/Passphrases at Least Once Every 90 Days

by Randy Bartels / December 20, 2022

Password/Passphrase Expiration PCI Requirement 8.2.4 expects your organization to change user passwords/passphrases at least once every 90 days. The PCI DSS explains, “Passwords/passphrases that are valid for a long time without a change provide malicious individuals with more time to work on breaking the password/phrase.” You may think that a shorter password/passphrase expiration date would be more secure, but best practice states that 90 days is an appropriate period of…

PCI Requirement 8.2.3 – Passwords/Passphrases Must Require a Minimum of Seven Characters and Contain Both Numeric and Alphabetic Characters

by Randy Bartels / December 20, 2022

Requirements for Password/Passphrase Complexity and Strength Passwords/passphrases are your organization’s first line of defense, which is why PCI Requirement 8.2.3 states that your users’ passwords/passphrases must require a minimum of seven characters and contain both numeric and alphabetic characters. The combination of length and alphanumeric characters gives passwords/passphrases the complexity and strength to stand against attackers. The PCI DSS explains, “Malicious individuals will often first try to find accounts with…

PCI Requirement 8.2.2 – Verify User Identity Before Modifying Any Authentication Credential

by Randy Bartels / December 20, 2022

Preventing Social Engineering PCI Requirement 8.2.2 states, “Verify user identity before modifying any authentication credential.” How could this play out at your organization? Let’s imagine that you need a password reset, so you call a help desk and tell them the situation. If they unlocked your account and helped you reset the password, no questions asked, then what would stop an attacker from calling the help desk and asking the…