PCI Requirement 8.1.6 – Limit Repeated Access Attempts by Locking Out User ID After No More Than Six Attempts

by Randy Bartels / December 21st, 2017

Appropriate Account Lockout Mechanisms

PCI Requirement 8.1.6 states, “Limit repeated access attempts by locking out the user ID after no more than six attempts.” Why is PCI Requirement 8.1.6 so important? Appropriate account lockout mechanisms cut off an attacker’s ability to continuously guess the password.

Without the appropriate account lockout mechanisms in place, an attacker could attempt to guess account passwords until they’ve gained access. Take brute-force cracking, for example. This is a trial and error method which continuously tries every combination of a password. If you guess enough times, the password will be found. Protection from attacks like these are critical for your organization.

Within the industry and the hacking community, there’s something called brute-forcing. A brute-force attempt is where somebody attempts to use an application, sometimes you can do it manually, that can brute-force a password. These applications will submit a username and every combination of password that you can imagine, until such time that the password is just guessed. If you guess enough times, the password will be discovered. As part of this, the PCI DSS requires that to prevent the brute-force attack, after an account has had six failed access attempts, this account gets locked.

When we look at this particular requirement, understand that this is not just your authentication store or your authentication library. It’s also an FTP server, it’s a web server, it’s really any place that an individual might authenticate. If the account has been used six times unsuccessfully, the account must be locked.