PCI Requirement 8.2.5 – New Passwords/Passphrases Can’t Be the Same as Any of the Last Four Passwords/Passphrases Used

by Randy Bartels / December 20, 2022

Effectiveness of Changing Passwords PCI Requirement 8.2.5 works in conjunction with PCI Requirement 8.2.4 to create secure passwords. Because PCI Requirement 8.2.4 requires passwords/passphrases to be changed every 90 days, PCI Requirement 8.2.5 dictates that new passwords/passphrases can’t be the same as any of the last four passwords/passphrases used. This prevents users from trying to alternate between the same few passwords or not reset their password at all by using…

PCI Requirement 8.2.4 – Change User Passwords/Passphrases at Least Once Every 90 Days

by Randy Bartels / December 20, 2022

Password/Passphrase Expiration PCI Requirement 8.2.4 expects your organization to change user passwords/passphrases at least once every 90 days. The PCI DSS explains, “Passwords/passphrases that are valid for a long time without a change provide malicious individuals with more time to work on breaking the password/phrase.” You may think that a shorter password/passphrase expiration date would be more secure, but best practice states that 90 days is an appropriate period of…

PCI Requirement 8.2.3 – Passwords/Passphrases Must Require a Minimum of Seven Characters and Contain Both Numeric and Alphabetic Characters

by Randy Bartels / December 20, 2022

Requirements for Password/Passphrase Complexity and Strength Passwords/passphrases are your organization’s first line of defense, which is why PCI Requirement 8.2.3 states that your users’ passwords/passphrases must require a minimum of seven characters and contain both numeric and alphabetic characters. The combination of length and alphanumeric characters gives passwords/passphrases the complexity and strength to stand against attackers. The PCI DSS explains, “Malicious individuals will often first try to find accounts with…

PCI Requirement 8.2.2 – Verify User Identity Before Modifying Any Authentication Credential

by Randy Bartels / December 20, 2022

Preventing Social Engineering PCI Requirement 8.2.2 states, “Verify user identity before modifying any authentication credential.” How could this play out at your organization? Let’s imagine that you need a password reset, so you call a help desk and tell them the situation. If they unlocked your account and helped you reset the password, no questions asked, then what would stop an attacker from calling the help desk and asking the…

PCI Requirement 8.2.1 – Use Strong Cryptography to Render All Authentication Credentials Unreadable During Transmission and Storage

by Randy Bartels / December 20, 2022

Strong Cryptography in Transmission and Storage PCI Requirements 3 and 4 help your organization implement strong cryptography methods, and we see it again here in PCI Requirement 8. Using strong cryptography is essential to protecting cardholder data. An attacker can easily capture unencrypted passwords during transmission and while in storage, and use this data to gain unauthorized access to your system or to the cardholder data environment. To prohibit this…