PCI Password Requirements & Recommended Controls

The Payment Card Industry Data Security Standard (PCI DSS) requires merchants processing cardholder data to implement a set of security measures to protect it. PCI guidelines offer best practices and recommendations to ensure data security. These guidelines ensure the integrity and confidentiality of payment data.

This article discusses your obligations as a cardholder data processor, PCI-suggested security measures, and the importance of these PCI password requirements.

What are the PCI DSS password requirements?

PCI DSS password requirements are the rules and recommendations merchants should follow to stay compliant. As a merchant processing cardholder data, it is compulsory to follow these guidelines for setting passwords?

To adhere to PCI compliance you must follow these password requirements:

Length

Passwords must be at least 12 characters in length (8 characters if the system does not support 12). This is an update from the previous requirements of a minimum of 7 characters and is applicable till March 31, 2025. 

Variation

Factors like complexity, length, and randomness contribute to the strength of the password. It should include a combination of lowercase, uppercase, and special characters to render it impossible to guess. This strengthens security and prevents leakage through guesswork or using password-cracking tools.

Update

Users should change their passwords every 90 days. Frequent changing limits the successful attempts to break by hackers and reduces theft attempts by keystroke loggers. Additionally, if you use passwords as the only form of authentication, implement controls to reduce the impact in the event of a compromise. 

Safety lock

If the administrator locks a user account, configure it to be inaccessible for at least 30 minutes. The administrator should validate the identity of the user before reactivating or implementing a password reset self-service. Keeping the account locked reduces multiple breach attempts, which may lead to unauthorized access. 

System auto lock

If a system remains idle for 15 minutes or more, it should be automatically locked. The user has to re-enter a password to access the system again. 

Rendering systems inaccessible after prolonged periods of inactivity prevents unauthorized access to maintain data integrity. 

Encryption

Passwords should be encrypted using strong cryptography while being transmitted and at rest. Use trusted vendors that support strong encryption. Protect non-console technologies like out-of-band (OOB), lights-out management (LOM), Intelligent Platform Management Interface (IPMI), and keyboard, video, and mouse (KVM) switches with remote capabilities using strong encryption methods. This prevents malicious actors from stealing data by accessing the password.

Limit failed attempts

When a user attempts to access their account for more than six times in a row, the access should be blocked. Limiting failed access attempts reduces the chance of fraudulent activity like data theft.

Change default password

If the vendor presets a password, reset it to a strong, unique password after the first use. This includes user IDs, passwords, and other authentication credentials. Malicious actors often use the vendor’s default password to easily steal data. Changing it makes it harder for such individuals to steal data.

MFA

Multi-factor authentication is a requirement for non-console access to cardholder data. It is also required for administrators accessing network and system components of cardholder data. System administrators should be authenticated using a password, a token device, or a biometric element. Note that using the same factor twice (using a password twice) does not qualify as MFA.

Interactive login security

If an application or system that uses interactive login stores passwords, secure it using encryption techniques. (Interactive login is the process by which individuals enter authentication credentials to directly access /log in to an application or system account). PCI recommends password vaults or system-managed controls.

Alteration

Every time users change the password, it cannot be the same as the previous four. Configure the system to automatically reject previously used passwords. Alternating helps to reduce damage for compromised passwords.

Encrypt wireless systems

If a wireless environment is connected to a cardholder environment or transmits account data, all vendor default passwords should be secure. This includes password-protected wireless access points, SNMP defaults, and default wireless encryption keys. This prevents wireless sniffers from capturing data from the traffic and attacking the network.

Also, check out: The complete list of PCI DSS requirements

Are these requirements important to stay PCI DSS compliant?

The short answer is yes. If you are looking to be PCI DSS certified, passing the PCI audit is mandatory. The auditor will map your security measures and controls against the requirements. The latest updated version of PCI DSS contains a summary of all the new changes, requirements, and best practices.

Non-compliance increases the risk of breaches and makes your system more vulnerable to data theft. If your cardholder environment is compromised, you are looking at a number of possible repercussions. 

The PCI all-rounder

PCI clearly states the controls and requirements, but implementing all without a crack in the system is time-consuming, tedious, and expensive. 

Keeping all the hurdles in mind, we built the Sprinto dashboard – a comprehensive tool that makes you auditor ready in 2 weeks. It ties all requirements to controls and checks – including all password requirements like encryption, flagging unauthorized access, validation of critical system users, and MFA status; Sprinto automates it all. The auditor dashboard shows a single view of audit reports, evidence, documents, and controls.

Talk to us to get compliant, no matter your PCI DSS level.