The Payment Card Industry Data Security Standard (PCI DSS) is a compliance initiative that concerns all companies that process, transmit, and store payment card data. More specifically, it contains a long list of mandatory requirements that businesses must uphold to defend against data breaches and avoid massive penalties. Chief among these requirements is preventing unauthorized access to company accounts by using password best practices. If your business manages payment card information, here are the PCI DSS password requirements you must uphold:
1. Create long and complex passwords
According to PCI DSS, employees must have at least seven-character passwords that contain a mix of numbers and letters. While these requirements can protect your company accounts, they’re only the bare minimum for password security. One of the most common ways cybercriminals find their way into company accounts is through brute force attacks, which involve guessing login credentials by trying every possible combination of characters. By using automated brute force software, hackers can theoretically crack a seven-character password in one minute.
What’s more, people tend to set simple combinations that would take hackers merely seconds to crack. Employees could be using their birthday, mother’s maiden name, or favorite sport as their password, which could be found in their social media profiles.
Generally, the longer and more complicated the password, the more difficult it is for cybercriminals to guess or crack them. Instead of passwords that only use one word, users should set memorable yet random passphrases that sprinkle in lower- and uppercase letters, numbers, and symbols like “apple4Wonder6Plan$”. When employees set passwords that have more than 12 characters, brute force attacks can take thousands, if not millions, of years to guess the right combination.
2. Use unique passwords
Businesses must instantly change factory default passwords (e.g., admin, password, guest) in devices and applications because anyone can easily guess these. Users should also set passwords that are unique to each account to limit what cybercriminals can gain access to if they manage to steal one set of login credentials.
3. Reset your passwords
PCI DSS requires users to reset their passwords at least every 90 days. The new password must also be different from the previous four passwords a user has set. For optimal security, it’s best that your new password doesn’t resemble any of your old ones, even if it has additional or rearranged characters.
If creating a new password every quarter seems like a hassle, then your company should implement trustworthy password managers like LastPass or Dashlane. These tools generate and store strong passwords so you don’t have to remember dozens of complex passwords. All you do need to remember is one master password that grants you access to all your newly generated, PCI-compliant passwords.
4. Limit login attempts and lock accounts
As mentioned, a strong password will usually require more attempts for brute force software to crack. However, if everyone has unlimited login attempts to your company’s accounts, cybercriminals can simply keep guessing password combinations until they’ve struck gold.
The simplest way to defend against these attacks is to limit the number of login attempts. To be PCI compliant, organizations should temporarily lock out user accounts after six invalid access attempts. At the very least, users should be locked out for 30 minutes, but it’s often safer for a system administrator to unlock the account and reset the number of login attempts again. This way, users will have to report a locked account to the IT department and administrators can determine whether there’s a legitimate threat. Adding extra steps to unlock reset login attempts stops brute force attackers from simply automating the password cracking process.
5. Enable session timeouts
A session timeout instantly logs users out of their accounts and/or system after a period of inactivity. Under PCI regulations, session timeouts should occur within 15 minutes or less. While constantly getting logged out of accounts may be inconvenient for users, session timeouts protect sensitive financial data when devices are left unattended.
For instance, let’s say your employee is working in a local cafe. If they walk away from their laptop that contains payment card information in a local cafe, an unauthorized user could see and access that information. Cybercriminals may also be able to hack vulnerable networks to hijack idle accounts that are still logged in. Regular session timeouts minimize the risk of these cases. Many cloud applications like Microsoft 365 allow system administrators to set session timeouts and send prompt warning to users for when the timeout is approaching.
Related reading: Keep your devices safe with BYOD policies
6. Encrypt your passwords
Companies must encrypt passwords during transmission and storage. To comply with PCI regulations, you first need to apply strong SSL and TLS encryption protocols whenever passwords are entered or shared over public and private networks. You’ll also want to store your passwords in servers that use advanced encryption standards to get the highest level of security. When you encrypt your passwords, cybercriminals will see nothing but indecipherable code even if they manage to infiltrate your company’s network and servers.
Passwords alone are insufficient
While strong passwords and good management can protect accounts that contain payment card information, they’re only one line of defense against a cyberattack. Multifactor authentication significantly bolsters your company’s security. This solution requires the user to provide more than one set of login credentials to verify their identity. Examples of these credentials include fingerprint scans, facial ID, or temporary passcodes sent via a separate authenticator app. With this setup, cybercriminals will be unable to infiltrate company accounts unless they get a hold of all the necessary credentials.
Ensuring PCI compliance can be a serious challenge for businesses, especially since there are so many intricate security and data management requirements to follow. Fortunately, Dynamic Solutions Group can make this process so much easier. When you partner with us, we’ll assess your current security framework against PCI standards and recommend top-tier solutions that will keep your data out of harm’s way. Call us now to meet PCI DSS requirements.