Q

Password compliance and password management for PCI DSS

Can poor password management lead to PCI DSS non-compliance? Mike Chapple outlines key password compliance best practices.

I saw that Verizon reported that poor password management was the root cause of many 2011 data breaches. I'm assuming this would mean many of these organizations would have been non-compliant with PCI DSS, HIPAA, and other mandates too. Can you outline the key password compliance best practices? What do the most widely applicable mandates require?

Ask the Expert!

Got a vexing compliance problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Generally speaking, the Payment Card Industry Data Security Standard (PCI DSS) is the only major compliance mandate that specifies direct requirements for password security. These requirements are found in Requirement 8 of the PCI DSS. The general password security best practices found in this section include the following provisions:

  • Shared, group or generic passwords and accounts are explicitly prohibited. This shouldn’t be a surprise to anyone, as it is a standard security best practice. Sharing passwords eliminates individual accountability and jeopardizes the security of protected systems.
  • User passwords must be changed at least every 90 days. This is one of the trickiest password provisions of PCI DSS, as it is a major inconvenience to users. In most organizations not required to comply with PCI, password policies typically specify either annual or semiannual password changes. PCI DSS is much stricter.
  • Passwords must be at least seven characters and contain a mixture of letters and numbers. This is another standard security practice that most organizations already follow. There’s no requirement here for the use of punctuation, upper/lowercase or special characters.
  • Users may not reuse any of their last four passwords. This requirement essentially prevents a user from recycling a password more than once per year.

If you’re subject to PCI DSS, these practices should be old hat for you.  Failing to comply with any of them will result in failing your PCI DSS audit.  And, if you’re working toward compliance with a different standard that doesn't provide specific guidance, they’re also an excellent set of controls you can easily defend as industry standard best practices.

This was first published in June 2012

Dig deeper on Password Management and Policy

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close