Account Lockout Duration
Once a user account is locked out after six log-in attempts, that account must remain locked. PCI Requirement 8.1.7 states, “Set lockout duration to a minimum of 30 minutes or until an administrator enables the user ID.” Complying with PCI Requirement 8.1.7 can delay and prevent a malicious individual from attempting to continually guess a password. If your organization decides that reactivation must be requested to unlock the user account, this additional security parameter further validates that the legitimate account owner is requesting reactivation.
To verify compliance with PCI Requirement 8.1.7, an assessor will examine a sample of password parameters to ensure your organization has set the lockout duration to a minimum of 30 minutes.
In PCI Requirement 8.1.6, we talked about how to prevent a brute-force attack and that after six log-in attempts, the account becomes locked. When we look at PCI Requirement 8.1.7, it says that these accounts need to remain locked for at least 30 minutes or until an administrator resets the account. One of the things that we’re going to do as an assessor, for both of these requirements, we’re going to look at the mechanisms by which these controls are enforced. Is that a hard-coded setting? We may look at the source code as part of something you’ve developed within the application. We might ask you to actually fat-finger an account six or seven times to lock it. We’re going to look at how the application resets or opens up that account for authenticating to it again. Understand that when an account has been locked out, it needs to remain locked out for no less than 30 minutes or until an administrator resets that account.