Ever since 2004, the payment card industry has required merchants who accept credit card payments to adhere to the Payment Card Industry Data Security Standards (PCI DSS, often shortened to PCI). This requirement doesn’t just apply to merchants, but is applicable to any organization that stores, or processes credit or debit card information or who processes accepts credit or debit card payments.
Unfortunately, PCI compliance is not a one-time endeavor.
Keeping your compliance up to date
The PCI requirements are periodically updated as technology and potential security threats evolve, and as NIST standards change.
For example, version 2.0 of the PCI requirements was released in 2010 and version 3.0 came out a short time later in 2013. There have also been several minor version updates that have been released over the years.
The important takeaway from a compliance standpoint is that the PCI requirements change over time and an organization that fails to keep up with these changes could lose its compliance status.
The most recent version of PCI is 4.0, which was released in 2022. This latest version of PCI builds on the standards set forth by PCI version 3.2.1. Most of the new requirements are related to authentication and to passwords, check them out here.
Five new requirements for PCI 4.0
- PCI version 4.0 requires multifactor authentication to be more widely used. Whereas multifactor authentication had previously been required for administrators who needed to access systems related to card holder data or processing, the new requirement mandates that multifactor authentication must be used for any account that has access to card holder data.
- The new standards also require user’s passwords to be changed every 12 months. Additionally, user’s passwords must be changed any time that an account is suspected to have been compromised.
- A third requirement is that PCI requires users to use strong passwords. While strong passwords have always been required by the PCI standard, the password requirements are more stringent than before. Passwords must now be at least 15 characters in length, and they must include numeric and alphanumeric characters. Additionally, user’s passwords must be compared against a list of passwords that are known to be compromised.
- Another requirement of PCI 0 is that organizations must review access privileges every six months to make sure that only those who specifically require access to card holder data are able to access that data.
- Finally, the latest version of PCI stipulates that vendor accounts care only to be enabled when they are needed and that those accounts must be monitored when they are used.
Addressing the new PCI requirements
Organizations that are subject to the PCI regulations must carefully consider how best to address these new requirements. Some of the requirements are relatively easy to address. For example, Windows group policy settings can be used to require 15-character passwords and to enforce complexity requirements. Similarly, group policies can be used to automatically expire passwords every 12 months.
Even so, some of the new requirements go beyond what Windows native security mechanisms are capable of. For example, Windows Server lacks the ability to compare user’s passwords against a list of passwords that are known to have been compromised. As such, organizations will need to adopt a third-party solution in order to meet this requirement.
A recent study found that 56% of breached passwords were deemed compliant with PCI requirements, so, it’s good to have a backup method of password protection in place.
One of the best tools for addressing the password related PCI requirements is Specops Password Policy. Specops Password Policy features an integrated tool that can compare an organization’s existing password policy against the latest PCI requirements to ensure compliance. As the PCI standards evolve over time, Specops Password Policy is updated to address those changes.
Additionally, Specops Password Policy gives organizations the tools that they need in order to meet the PCI password related requirements. For example, Specops maintains a database containing billions of passwords that are known to have been compromised.
User accounts can be audited at any time to ensure that users are adhering to the current password policy and are not using passwords that are known to have been compromised.
You can test out Specops Password Policy for free in your Active Directory, anytime.
Sponsored and written by Specops.
Comments
khuston - 1 year ago
> The new standards also require user’s passwords to be changed every 12 months.
What requirement is this in this spec? The closest I find is 8.3.9 which requires 90-day expiration of user passwords if used in single-factor authentication. I also see 12-month expiration of *system* passwords but not user passwords. I am not seeing a requirement to expire user passwords if MFA is enforced.