The PCI DSS Password Rulebook: Which Requirements You Need to Know for Secure Authentication

Darren James, a Senior Product Manager at Specops Software, an Outpost24 company, explains the key updates coming in the latest version of the Payment Card Industry Data Security Standard (PCI DSS) guidelines and outlines how companies can create PCI DSS-compliant policies. This article originally appeared in Insight Jam, an enterprise IT community that enables human conversation on AI.

The Payment Card Industry Data Security Standard (PCI DSS) established a comprehensive set of guidelines aimed at safeguarding cardholder data and ensuring businesses handling payment card information operate in a secure environment. Within its guidelines, PCI DSS places particular importance on implementing robust password policies to prevent unauthorized access and reduce the risk of data breaches.  

Now, with the latest version of these guidelines, PCI DSS v4.0.1, there are notable updates organizations must navigate to remain compliant, which include both immediate and future compliance requirements to be made. Certain provisions took effect in April 2024 but a set of more advanced best practice measures, which are more challenging to address due to the need for certain technologies, will be mandatory for organizations to comply with come March 31, 2025. It establishes requirements for various critical aspects of password management, such as password complexity, change frequency, history tracking, lockout mechanisms, secure storage, and user education. These updates are designed to strengthen cybersecurity in response to evolving threats but present significant implementation challenges for many organizations. 

Key Update 1:

PCI DSS v4.0.1 highlights the importance of adopting stronger, more complex passwords to enhance security. The minimum password length for general user accounts is set at 12 characters. However, for service accounts used by applications, services, and systems, a password of at least 15 characters is recommended. These passwords should meet complexity requirements by including alphanumeric characters and be checked against breached or commonly compromised password lists.  

Key update 2:

The update relaxes the requirement for regular password expiration, shifting focus to changing passwords only in cases of known or suspected compromise. This approach aims to reduce users’ tendency to create weak, predictable passwords that often result from overly frequent change requirements, ultimately enhancing overall security. 

Key update 3:

PCI DSS v4.0.1 introduces enhanced requirements for password storage to bolster security. Passwords must be stored using robust encryption methods and protected with strong hashing algorithms, ensuring that stored credentials remain secure against unauthorized access or compromise.  

Key update 4:

Under the new requirements, passwords must be transmitted securely using strong encryption and secure protocols like HTTPS or SSH. This ensures that sensitive password information remains confidential during transmission over networks, protecting it from unauthorized access and inception.  

Key update 5:

PCI DSS v4.0.1 mandates the use of secure password management systems equipped with features like multi-factor authentication (MFA) and detailed audit logs. MFA is now a mandatory requirement for all administrative access to these systems, while audit logs ensure accountability and traceability of all password management activities.  

Key update 6:

The new requirements highlight the importance of user education on password security, emphasizing the need for strong passwords and secure practices. To achieve this, the organization will implement comprehensive training programs and conduct regular awareness campaigns to educate and remind employees of password security best practices. An added security user education measure would be to provide feedback on password change, password hygiene, and best practices.  

Key update 7:

PCI DSS v4.0.1 promotes the use of automated password management tools, such as password managers, to help users generate and store complex passwords securely. Additionally, automated systems will be implemented to enforce strong password policies and proactively detect weak or compromised passwords, enhancing overall password security.  

Creating a PCI-DSS-compliant policy for your organization 

To achieve PCI-DSS compliance, organizations must establish a robust password policy that prioritizes security. This policy should mandate strong, complex passwords that are at least 12 characters long, ideally 15 for passwords changed due to compromise. A diverse character set, including uppercase and lowercase letters, numbers, and special characters, is essential to enhance password strength.

To mitigate the risk of password reuse, the policy should enforce regular password changes, typically every 90 days, unless a risk-based assessment justifies a longer interval. Alternatively, organizations can introduce length-based password aging policies, whereby users are rewarded for selecting a long password by extending the time until they need to change it. For example, if a user has a 12-character password, then they will have to change it every 90 days, while a 20-character password could be set to only expire if the password is breached.  

Implementing password history checks, storing a minimum of the last four passwords, further strengthens security by preventing password recycling. To deter unauthorized access attempts, account lockout mechanisms should be configured to lock accounts after a specified number of failed login attempts, typically five, for a minimum of 30 minutes.  

Safeguarding sensitive password information is paramount. Strong encryption methods must be employed to store passwords securely, preventing unauthorized access and data breaches. For instance, anything less than 15 characters could still potentially be stored as a weak LM Hash. The simplest way to avoid storing an LM Hash for a password is to enforce the use of passwords that are at least 15 characters long. When passwords meet or exceed this length, Windows generates an LM Hash value that is unusable for authenticating an end-user.  

To foster a culture of password security, organizations should prioritize user education and helpful feedback when they set or change their passwords. Regular training sessions should emphasize the importance of strong password practices, the risks associated with weak or reused passwords, and the benefits of using password managers. Continuous monitoring and review of the password policy are essential to ensure its effectiveness and alignment with evolving security standards. Regular audits and assessments can identify potential vulnerabilities and inform necessary adjustments to the policy.

Additionally, organizations should carry out continuous scanning for all passwords to check whether a user’s password becomes breached over time. A password might be fine for one week, but that doesn’t mean it can’t be breached the following week, month, or year. Continuous scanning gives the business real-time updates to remediate the breached password if and when this occurs. Finally, clear documentation of the password policy is crucial. The policy should be readily accessible to all relevant employees, and its enforcement should be consistently applied across the organization. By adhering to these guidelines, organizations can significantly enhance their password security posture and strengthen their overall PCI-DSS compliance.  

With time quickly running out, the time for organizations to act is now. Those who prioritize compliance can significantly reduce the risk of cardholder data breaches, minimize operational disruptions, and enhance their overall cybersecurity posture. Whether through internal changes or external expertise, planning and understanding the new requirements are crucial for safeguarding sensitive information and mitigating cyber threats.