via Bleeping Computer
Ever since 2004, the payment card industry has required merchants who accept credit card payments to adhere to the Payment Card Industry Data Security Standards (PCI DSS, often shortened to PCI). This requirement doesn’t just apply to merchants, but is applicable to any organization that stores, or processes credit or debit card information or who processes accepts credit or debit card payments.
Unfortunately, PCI compliance is not a one-time endeavor.
Keeping your compliance up to date
The PCI requirements are periodically updated as technology and potential security threats evolve, and as NIST standards change.
For example, version 2.0 of the PCI requirements was released in 2010 and version 3.0 came out a short time later in 2013. There have also been several minor version updates that have been released over the years.
The important takeaway from a compliance standpoint is that the PCI requirements change over time and an organization that fails to keep up with these changes could lose its compliance status.
The most recent version of PCI is 4.0, which was released in 2022. This latest version of PCI builds on the standards set forth by PCI version 3.2.1. Most of the new requirements are related to authentication and to passwords, check them out here.
Five new requirements for PCI 4.0
- PCI version 4.0 requires multifactor authentication to be more widely used. Whereas multifactor authentication had previously been required for administrators who needed to access systems related to card holder data or processing, the new requirement mandates that multifactor authentication must be used for any account that has access to card holder data.
- The new standards also require user’s passwords to be changed every 12 months. Additionally, user’s passwords must be changed any time that an account is suspected to have been compromised.
- A third requirement is that PCI requires users to use strong passwords. While strong passwords have always been required by the PCI standard, the password requirements are more stringent than before. Passwords must now be at least 15 characters in length, and they must include numeric and alphanumeric characters. Additionally, user’s passwords must be compared against a list of passwords that are known to be compromised.
- Another requirement of PCI 0 is that organizations must review access privileges every six months to make sure that only those who specifically require access to card holder data are able to access that data.
- Finally, the latest version of PCI stipulates that vendor accounts care only to be enabled when they are needed and that those accounts must be monitored when they are used.
Addressing the new PCI requirements
Organizations that are subject to the PCI regulations must carefully consider how best to address these new requirements. Some of the requirements are relatively easy to address. For example, Windows group policy settings can be used to require 15-character passwords and to enforce complexity requirements. Similarly, group policies can be used to automatically expire passwords every 12 months.
Even so, some of the new requirements go beyond what Windows native security mechanisms are capable of. For example, Windows Server lacks the ability to compare user’s passwords against a list of passwords that are known to have been compromised. As such, organizations will need to adopt a third-party solution in order to meet this requirement.
A recent study found that 56% of breached passwords were deemed compliant with PCI requirements, so, it’s good to have a backup method of password protection in place.