PCI DSS 4.0. Password Requirements

Learn the fundamentals of PCI DSS 4.0. password requirements to safeguard sensitive payment data and move toward PCI DSS compliance March 2024 is the date when the PCI DSS 4.0. updates come into effect. In general, PCI DSS 4.0 focuses on several specific areas – security, customized implementation, access controls, authentication, encryption, monitoring, and critical control testing frequency methods. The list of the updated requirements along with key differences between the previous and the new version of the standard are described in detail in the Summary of Changes from PCI DSS v3.2.1 to v4.0. Although all the PCI DSS 4.0. requirements aimed at strengthening security in the financial industry straightened PCI DSS 4.0. password requirements controls take a special place. Access controls play a pivotal role in safeguarding sensitive payment card data and ensuring PCI DSS compliance data. It is logical given the increasing number of data breaches the financial industry faces. According to the 2023 Verizon Data Breach Investigation Report (DBIR), attacks against credentials were the most prevalent attacks in Finance and Insurance, responsible for 77% of data breaches. Weak and unprotected passwords were one of the major causes of breaches within this pattern. Brute force attacks such as credential stuffing, password cracking, password guessing, and password spraying are the most common tactics criminals use to infiltrate sensitive data. To enhance security in the financial industry, PCI DSS 4.0. implements robust access control requirements as part of the common PCI DSS 4.0. updates. In this article, we’ll explore the fundamentals of PCI DSS 4.0. password requirements, so that your organization can safeguard sensitive payment data and move easily toward PCI DSS compliance.

Quick Recap of PCI DSS 4.0.

PCI DSS provides a collection of security standards and regulations created by leading credit card companies like Visa, MasterCard, American Express, Discover, and JCB. These standards aim to safeguard payment card data from data breaches and cybersecurity risks. By offering a structured framework, PCI DSS assists organizations involved in processing, storing, or transmitting credit card data in maintaining a secure environment for such transactions. PCI DSS 4.0 focuses on making cardholder data even safer by encouraging organizations to look at security more comprehensively. Getting ready for PCI DSS 4.0 updates will require a substantial effort because the updated standard introduces new controls. These include:

• A new requirement for the frequency of malware scans is now included in the organization's tailored cybersecurity risk assessment
• Robust management of all payment page scripts loaded and executed in the consumer’s browser
• Disk-level encryption will no longer be the sole option for protecting stored cardholder data
• More stringent access controls
• New requirements for keyed cryptographic hashes.
• Deployment of automated technical solutions for web applications to both discover and prohibit web-based attacks.
• More requirements for documenting PCI control owners RACI.

Let’s see what are the main PCI DSS 4.0. authentication and authorization requirements and what they mean for PCI DSS compliance.

PCI DSS 4.0. Password Length Requirements

As the technology industry continues to evolve rapidly, cybercriminals and malicious actors will evolve with it. Password strength is a baseline necessity to prevent brute-force attacks, and many other password-related attacks, in which a malicious actor guesses a computer system’s passphrase. One of the primary PCI DSS 4.0 password requirements is an increase in required password length. It should be a minimum of 12 characters (or at least 8 characters is the system does not support 12). By utilizing numbers, upper and lowercase letters, as well as special characters, a password of 12 characters will take 226 years to crack. To crack the same password length and complexity in 2022, hackers required 3,000 years, and 34,000 in 2020. Leveraging advanced technologies like artificial intelligence (AI) and machine learning (ML) would make this period even shorter. So if this trend continues, and it will, the password requirements will have to be increased soon again. It’ll be smart for organizations not to meet the current compliance requirement simply, but to increase the password length above 12 characters. PCI DSS 3.2.1 mandated password length at seven characters. According to the calculation above, a distinct password with identical auxiliary character criteria but limited to only seven characters would be cracked in approximately 4 seconds in 2024. Therefore, at a fundamental level, organizations must enhance various safeguards. These include raising the mandated password lengths, to meet and sustain PCI DSS compliance in the future.

PCI DSS 4.0. Password Managing Requirements

An additional option is added for managing passwords/passphrases. In the PCI DSS 3.2.1, organizations were required to change passwords every 90 days, which was a painful practice. Frequent updates tend to trigger unsafe user behaviors as people often make only minor changes or write down their passwords. The new PCI DSS 4.0 password requirements allow organizations to stop this practice as long as they increase the password length and complexity and implement multi-factor authentication (MFA). However, if passwords or passphrases are the sole authentication method for customer user access, they still must be changed every 90 days, or access has to be dynamically analyzed, and real-time access to resources is automatically determined accordingly. This requirement doesn’t apply to accounts of consumer users accessing their payment card information.

PCI DSS 4.0. Mandates Multi-Factor Authentication (MFA)

PCI 4.0 mandates the implementation of multi-factor authentication (MFA) for all access into the Cardholder Data Environment (CDE). Multi-factor authentication (MFA) is a critical security enhancement that necessitates users to confirm their identity by presenting additional information beyond just a username and password. When MFA is appropriately deployed, it significantly complicates the task for a hacker attempting to access information systems, even in situations where a password or another credential has been compromised. The new PCI DSS relies more on applying stronger authentication standards to payment and control processes. With this, NIST Password Guidance moves to the forefront. It mandates users to provide a combination of two or more of the following:

• something you know (like a password or PIN);
• something you have (like a smart card or token device);
• something you are (like your fingerprint or face).

In practice, these additional factors may include an authenticator application that provides a time-based code, a push notification – a pop-up notification sent to a secondary verified device (typically a phone) to verify the login attempt, or fast identification online (FIDO) that utilizes biometrics such as facial/voice recognition, fingerprint or scan, etc. In addition, previously MFA was mandatory solely for remote access to the cardholder data environment. However, according to the revised PCI DSS MFA guidelines, anyone logging in from beyond your secured network perimeter, regardless of whether they are accessing the CDE or not, must employ MFA. This requirement extends to all employees, including both regular users and administrators, as well as third-party vendors. Furthermore, it applies to any web-based access, even if utilized by on-site employees. PCI DSS 4.0 has partnered with Europay, Mastercard, and Visa (EMVco) to implement the use of a 3DS Core Security Standard during transaction authorization. This new standard opens the door for organizations to build their unique authentication standards. Furthermore, this new 3DS Standard allows organizations to scale their authentication standards to fit the company’s transaction objectives.

Continuous Monitoring of User Accounts

PCI DSS 4.0 mandates the proper management of authentication for both administrators and non-consumer users within the system. This is in place to ensure that individual accounts are consistently monitored throughout the account's lifecycle and deactivated when necessary. Organizations must implement "inactivity" protocols that involve either deactivating or disabling accounts that remain inactive for more than 90 days. Additionally, a re-authentication process should be enforced if the application session is inactive for more than 15 minutes. PCI DSS 4.0. also sets limitations to the amount of failed login attempts a user has. The number of invalid authentication attempts before locking the user account has been increased from 6 to 10.

Protection of Application and System Account Passwords

PCI 4.0 also requires to protect passwords for applications and system accounts against misuse. Misuse can include improper access, sharing, or any action that compromises the security of the credentials. Implementing measures to protect against misuse assures the integrity and security of these critical accounts.

Final Thoughts

The implementation and validation of the above controls vary slightly based on the required PCI DSS compliance level. These levels are determined by factors such as your annual transaction volume and the company's role in the transaction processing. Additionally, service providers have unique requirements that merchants do not have. Read more about RoC, AoC, and other elements of PCI DSS compliance in our previous blogs, and feel free to contact Planet 9 if you have any questions or need help with addressing PCI DSS compliance challenges.

Become PCI DSS Compliant with Planet 9

Are you on the way to your PCI DSS compliance journey or unsure where to start? Planet 9 professionals can help you become and remain PCI compliant. Depending on your company’s size and volume of annual credit card transactions, we can, among other things:

• evaluate the ‘security maturity’ of your organization to establish a baseline;
• based on the security maturity and validation requirements, prepare a plan to raise the organizational maturity;
• develop a roadmap for mitigating the identified compliance gaps and risks, and then assist the client on executing the roadmap;
• prepare and share the requirements and steps required to complete the required compliance activities

Book a free consultation today to explore how Planet 9 can help you achieve your security and compliance goals. We’ll be happy to assist!

FAQs

What is the password encryption in PCI DSS 4.0?

PCI DSS requires that all passwords and passphrases be encrypted when stored and during transmissions. Only secure encryption algorithms and protocols, such as AES-256 and TLS 1.2/1.3, must be used.

Does PCI require password changes?

The new PCI DSS 4.0 password requirements allow organizations to stop the practice of changing passwords every 90 days, as long as they increase the password length and complexity, and MFA is enforced. However, PCI DSS 4.0 requires organizations meeting these requirements to conduct Targeted Risk Analysis to determine the password change frequency. Additionally, passwords must be changed if there is suspicion of compromise or unauthorized access.

Is the use of strong passwords sufficient for PCI compliance?

The use of strong passwords is the initial line of defence; however, it is not considered sufficient. For PCI DSS compliance, passwords must be part of a broader access control strategy that includes multi-factor authentication (MFA).