PCI Requirement 8.2.1 – Use Strong Cryptography to Render All Authentication Credentials Unreadable During Transmission and Storage

by Randy Bartels / December 20, 2022

Strong Cryptography in Transmission and Storage PCI Requirements 3 and 4 help your organization implement strong cryptography methods, and we see it again here in PCI Requirement 8. Using strong cryptography is essential to protecting cardholder data. An attacker can easily capture unencrypted passwords during transmission and while in storage, and use this data to gain unauthorized access to your system or to the cardholder data environment. To prohibit this…

PCI Requirement 8.2 – Ensure Proper User-Authentication Management by Something You Know, Something You Have, or Something You Are

by Randy Bartels / December 20, 2022

 Proper User-Authentication Management PCI Requirement 8.2 adds an additional layer of security to user IDs by requiring something you know, something you have, or something you are. It states, “In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users: something you know (such as a password…

PCI Requirement 8.1.8 – Require Re-Authentication After 15 Minutes of Inactivity

by Randy Bartels / December 20, 2022

Inactive Sessions I’m sure you’ve witnessed or heard about situations where someone gets up from their workstation, but their session doesn’t log out. Inevitably, someone else uses their workstation to send an embarrassing or prank email on their behalf. But, what if it wasn’t something funny or embarrassing? What if a malicious user used your workstation and gained access to cardholder data? When users walk away from an open machine…

PCI Requirement 8.1.7 – Set Lockout Duration to a Minimum of 30 Minutes

by Randy Bartels / December 19, 2022

 Account Lockout Duration Once a user account is locked out after six log-in attempts, that account must remain locked. PCI Requirement 8.1.7 states, “Set lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.” Complying with PCI Requirement 8.1.7 can delay and prevent a malicious individual from attempting to continually guess a password. If your organization decides that reactivation must be requested to…

PCI Requirement 8.1.6 – Limit Repeated Access Attempts by Locking Out User ID After No More Than Six Attempts

by Randy Bartels / December 19, 2022

Appropriate Account Lockout Mechanisms PCI Requirement 8.1.6 states, “Limit repeated access attempts by locking out the user ID after no more than six attempts.” Why is PCI Requirement 8.1.6 so important? Appropriate account lockout mechanisms cut off an attacker’s ability to continuously guess the password. Without the appropriate account lockout mechanisms in place, an attacker could attempt to guess account passwords until they’ve gained access. Take brute-force cracking, for example.…