Why You Need to Exceed the PCI DSS Password Requirements

The password requirements for the Payment Card Industry Data Security Standard (PCI DSS) are extremely weak, and a brute force attack on a business adopting the minimum PCI DSS password requirements will typically gain access to password “protected” accounts within 20 minutes.

The Payment Card Industry Data Security Standard (PCI DSS) was created in 2004 to align the security standards being operated by Visa, Mastercard, Amex, Discover, and JCB. The objective of the alignment was to create a universal level of protection for card issuers by ensuring businesses met minimum security standards when storing, processing, and transmitting cardholder data.

Compliance with PCI DSS is a condition of being able to accept credit and debit card payments, so it is essential businesses are aware of the security standards, meet the security standards, and – in the case of the PCI DSS password requirements – exceed the standards required.  The penalties for non-compliance include fines, increased transaction fees and – ultimately – termination of contract.

What are the PCI DSS Password Requirements?

Under the current version of PCI DSS (v3.2.1 – issued May 2018), businesses accepting credit and debit card payments are required to implement strong access control measures to protect cardholder data. The access controls apply not only to computers and Internet-connected mobile devices, but also to operating systems, POS terminals, and security service software.

If the business uses a username/password combination to control access, the following PCI DSS password requirements apply:

  • Passwords must be a minimum of seven characters in length.
  • They must consist of both numbers and letters.
  • Users are required to change passwords every 90 days.
  • New passwords must be different from the previous four passwords.
  • Passwords must be unique to each user and changed after first use.
  • Password lockouts must remain active for 30 minutes.
  • Vendor-supplied default passwords must be changed upon installation.
  • Passwords must be encrypted while in transit and at rest.

The Risk of Using 7 Character Passwords

While it is a good idea for the payment card industry to promote password security best practices,  the requirement that passwords must be a minimum of seven characters in length may result in businesses using passwords consisting of exactly seven characters, which – according to Bitwarden´s password generator – can be cracked by a brute force attack within 20 minutes.

Using the same password generating tool, it is possible to determine that even twelve character passwords consisting of upper and lower case letters, numbers and symbols can be cracked within three years. If you apply Moore´s Law to the computing power of cybercriminals, it is likely that complex twelve character passwords will be considered insufficient by the end of the decade.

It is worth noting that in the Verizon 2020 Data Breach Investigations Report, 80% of data breaches that involved hacking were attributable to brute force attacks and lost or stolen log-in credentials. It is also worth noting that Verizon analyzed attempted brute force attacks against 81 businesses and counted more than 2.5 billion attacks within a year – an average in excess of 30 million per business.

How to Exceed the PCI DSS Password Requirements

Using a complex password generator is only the first step in exceeding the PCI DSS password requirements. Businesses also need to ensure passwords are unique, that they are not reused, and that they are stored securely. It is also important passwords are not disclosed to unauthorized personnel via phishing scams – the most common cause of stolen log-in credentials.

Consequently, it is advisable for businesses that store, process, and transmit cardholder data to implement a password manager that checks against duplicated and reused passwords and that stores passwords in an encrypted vault. In many cases, password managers such as Bitwarden include a browser plug in that identifies phishing websites and alerts users to the risk.

It is also important to be aware that some jurisdictions and industries have password requirements that exceed those of PCI DSS. By implementing a password manager with the capabilities mentioned above and adopting best practices for password security, businesses will reduce the management overhead of complying with data protection regulations such as GDPR, CCPA, SOX, and HIPAA.