What Are the PCI DSS Password Requirements?

Passwords are essential for computer protection and payment data. However, they need to be updated frequently to be robust and efficient. Manufacturer defaults and weak passwords are a common source of security breaches.

PCI compliance requirements for passwords required by the PCI Data Security Standards (PCI DSS) are explicitly set out in PCI DSS Standards Requirement 8.

To protect against password-related threats, PCI DSS requires passwords to comply with the following conditions:

  • Requires a minimum of seven characters or more in length.
  • Must contain numeric characters as well as alphabetic characters.
  • Users are expected to change their passwords at least every 90 days.
  • The new passwords must be modified so that they are not the same as the four previously used passwords.
  • New user first-time passwords and current user reset passwords must be set to a unique value for each user and updated after first use.
  • After up to six invalid access attempts, user accounts should be temporarily locked.
  • When a user account is locked, it must stay locked for a period of 30 minutes or until a system administrator resets the account.
  • System/session idle timeout settings must be set to 15 minutes or less.
  • Passwords should be secured with strong cryptography during transmission and storage.
  • Vendor published defaults should not be used for system passwords and other security parameters.

Password requirements for PCI DSS compliance are relatively straightforward and easily set with today’s directory service, such as Active Directory. For other systems that do not use a directory service for authentication, it is essential to create passwords with the above basic parameters to help protect the cardholder data environment.

Password Policy Details in PCI DSS Requirement 2

The first specific guidelines on passwords in PCI DSS are about removing passwords, especially third-party automatically generated default passwords for users.

Most of the time, hardware and software are shipped with default user accounts enabled. These accounts use a common username and password such as “USER” and “PASSWORD” to facilitate easy access.

While these accounts are intended to be reconfigured by users as soon as possible, there are several reasons why a user might fail to do so immediately, making them a prime target for hackers and other cybercriminals.

Therefore, all automatically generated passwords and accounts must be removed before installing or integrating a device or system into the more comprehensive network. Changing default accounts and passwords is the main focus of the PCI second requirement. Subsections within parameters determine where and how this rule is applied for various account types and authentication.

Password Policy Details in PCI DSS Requirement 8

Where PCI DSS sets the full-fledged password policy is in PCI DSS requirement 8.

PCI requirement eight specifies parameters for the planning and execution of the entire authentication system, not just passwords. This includes everything the user encounters, from IDs and passwords to other login elements like crashes and error messages. It also includes areas outside of user visibility, such as the storage and internal processing of accounts.

The most critical parts of PCI DSS requirement eight can be summarized as follows:

  • Assign a unique ID to all users.
  • Avoid reuse of individual identities, even after they have expired.
  • Strongly encrypt all user credentials in both transmission and storage.
  • All IDs and passwords must be unreadable.
  • Strictly control login attempts, crashes, and error messages.
  • Limit the number of password attempts.
  • Disable login after a certain number.
  • Use vague or generalized error messages.
  • Exercise control over the creation and deletion of accounts.
  • Monitor unused accounts and delete them after long absences.
  • Educate all account holders on the aspects of account security.
  • Enable automatic generation of strong passwords.
  • Provide resources for password strength analysis and best practices.
  • The length of a password must be at least seven characters.
  • Both letters and numbers must be used in the password.
  • A regular password reset is required every 90 days.
  • Do not allow the use of previous passwords and combinations.
  • Restrict specific sensitive access points with MFA.
  • Use MFA for remote access to all systems.
  • Use MFA for third-party access.

These sub-requirements, when taken together, form the heart of the PCI DSS password policy, which dictates how passwords should be used to ensure PCI compliance. These standards provide a consistent minimum level of cybersecurity and password policy across all PCI-compliant companies.

As long as the controls satisfy the PCI password policy, PCI DSS permits it to incorporate controls other than those established in the PCI standard, such as those defined by the National Institute of Standards and Technology Special Publication (NIST) 800-63.

For the use of memorized secrets, such as PINs and passwords to validate digital identity, NIST SP 800-63 provides requirements, recommendations, and guidance.

How to Set Strong Passwords?

When a password is not complex enough, it is much easier for an attacker to access a system. An attacker can perform a brute force attack by making multiple password attempts through an automated tool that will enter thousands of passwords in seconds until someone runs.

The PCI DSS standard requires passwords to contain at least seven characters in uppercase and lowercase letters. Other instructions suggest including long passwords, numbers, and special characters. Using password cracking software, passwords that fall below specific standards can be easily cracked.

The longer the password and the greater the combination of characters, the harder it would be for an attacker to break the password in operation.

Part of the authentication process involves passwords, but unfortunately, passwords also bring problems. The main problem with passwords is that brute force and dictionary attacks crack them relatively quickly. Programs like John the Ripper and L0phtCrack can quickly crack complex passwords.

Human nature also allows vulnerable passwords. Employees prefer to choose passwords that they can recall quickly and passwords that a data thief can easily guess through social engineering. Most staff still prefer to type in passwords and even share them with others for convenience.

Unfortunately, many companies don’t know how easily cybercriminals can crack a password. Especially if it is a widely used password, attackers get results much faster. As a result, you can find lousy password apps below:

  • Sharing credentials: Employees often share accounts and credentials to save time. However, it makes it easier for social engineers to access sensitive data quickly.
  • Not updating passwords regularly: It is only a matter of time before many hackers crack a password. Hence, businesses that have used the same passwords for their accounts since the company was founded are vulnerable.
  • Choosing predictable words like “Password” or “Admin”: These types of passwords are trendy and are probably the first words hackers guessed when trying to access remotely.

So how can you be sure you have secure passwords? Here are a few essential apps you can implement.

Set unique credentials and change default passwords

Using various passwords for different services is important. That way, you cannot use the same credentials to access information from other services if a service is compromised.

Employees often exchange passwords as they share their username, which means their credentials are no longer private. Shared accounts become even more vulnerable to social engineering attacks. When a group of people shares similar credentials, companies cannot distinguish exactly who is performing a particular action in their systems.

Ensure your employees do not use the same usernames or passwords and do not share them. Most companies create a numeric username that has no relation to the user’s real name. For example, the administrator’s username should be replaced with a username that does not specify the administrator.

It would be best if you also changed all default passwords for devices and apps.

The longer your password is, the better. Longer passwords are more difficult to crack as larger encryption keys are more difficult to crack. PCI DSS recommends that businesses have passwords of at least eight characters, but passwords of 10-15 characters or more are generally recommended.

It would be best if you also made passwords even more complex by using a combination of numbers, symbols, and letters.

Have limited login attempts with lockout rules

PCI DSS requirement 8 requires accounts to be locked out after six consecutive login attempts. Accounts must remain locked for 30 minutes or until the account is reset by a system administrator. The account locking measure helps avoid many types of brute force attacks.

When an attacker has only six chances to guess the correct answer, their attempt is likely to fail. When accounts are locked, attackers will go to an easier target.

Set your employees to try to log into a system multiple times. After several unsuccessful sign-in, let the account lockout whoever is trying to get in. This way, you avoid brute force attacks and attempts by social engineers to guess passwords.

What is a Strong Password?

Attackers use easily guessable passwords because many people still use quickly guessing passwords. A strong password must contain seven or more characters, a mixture of upper and lower case letters, numbers, and symbols (such as! @ # $ & *).

Hackers can use the default, common, or leaked passwords to get into your network. Out-of-the-box computer equipment and applications, including payment terminals, come with default passwords such as “password” or “admin,” commonly known to criminals.

Businesses must securely change these default passwords to reduce the risk of being compromised, and they should never be shared as each employee must have their login ID and password.

How to Create a Strong Password?

Nowadays, people don’t stop using their favorite sport as a password. The top ten commonly used passwords list are as follows:

  • 123456
  • password
  • 12345678
  • Qwerty
  • 12345
  • 123456789
  • Football
  • 1234
  • 1234567
  • Baseball

None of these passwords are secure because they are straightforward to guess, too simple, or depend on the keyboards’ models. Hackers are well versed in these lists and often use them as a first step to crack your password. You can change them as soon as possible if any of your passwords are on this list.

The best practice is to create a unique password. Some other standard password rules you can apply are as follows:

  • Using a mix of letters in upper and lowercase.
  • Do not use names or other personal information.
  • Replace individual letters with numbers
  • Use gibberish, typos, or substitutions.
  • Do not use repetitive patterns for password change.
  • For personal and work accounts, don’t use the same passwords.

It should be noted that you cannot wholly trust strong passwords. A password does not protect data completely. It would be best to have a combination of multi-factor authentication, encryption, and other protocols to keep your data safe.

How Can You Upgrade the PCI DSS Password Requirements?

PCI DSS password requirements provide the minimum level of complexity and power expected to be met by any organization using various technologies. PCI SSC also encourages organizations to implement stricter controls or additional security measures to meet security needs as needed.

When users have to generate and remember complex passwords too often, they tend to use repetitive patterns and save them in vulnerable ways that create new vulnerabilities. It is recommended that organizations go beyond the PCI DSS password requirements to ensure an appropriate security level.

PCI DSS allows organizations to implement alternative controls to those defined in the standard, provided that PCI DSS requirements are met. When evaluating alternative methods, it is necessary not to consider individual suggestions alone but to apply all recommendations as a complete collection of controls.

If you are trying to meet your PCI DSS requirements, you must comply with the PCI DSS’s password requirements. However, you can apply the following additional controls to strengthen your protection:

Use PassPhrases

Many companies are starting to use password phrases instead of passwords to strengthen personal and commercial data protection. Although passwords are strings of about ten letters, numbers, and symbols, passwords are groups of words with spaces between them.

Pass and Take $ 100 – P@$$andTake$100

Passwords can contain symbols, upper and lower case letters and do not have to be grammatically meaningful. Passwords usually are easier to remember but more difficult to crack than passwords.

Details about passwords and passphrases can be found below:

  • Passwords contain spaces and words. Passphrases are strings of letters, numbers, and symbols that are approximately ten characters long.
  • In general, passwords are more extended than passwords.
  • Passphrase sentences can be made more complex and stable by using symbols, numbers, and upper and lower case letters.
  • Major operating systems (Windows, Mac, Linux) allow passwords up to 127 characters long.

Use Password Blacklist

User-generated passwords also have limits. You can reduce your exposure by checking user passwords against a compromised password list. You can use the 100,000 most compromised passwords list or use online resources to create your password blacklist.

Suppose you’re looking for a more comprehensive list without having to compile your password. In that case, you can use a third-party password filtering service that includes billions of stolen passwords and is regularly updated with new leaked passwords.

Monitor User Passwords

If you do not currently have a mechanism for checking compromised passwords, you should scan your database for weak or leaked passwords. It is essential to examine the database and find out which accounts are using weak or blacklisted passwords.

  • You can also use the following ideas to find weak passwords:
  • Expired encrypted accounts
  • Accounts with approaching password expiration dates
  • Accounts using the same passwords
  • Accounts that do not require a password
  • Accounts that do not require a minimum password length
  • Old/inactive manager accounts

Implement Multi-Factor Authentication

System protection should not rely solely on the strength of a single password. Both passwords should not be considered unbreakable. Therefore, the implementation of multi-factor authentication is vital in protecting remote access, which is a requirement under PCI DSS.

It requires at least two of the following three criteria to configure multi-factor authentication:

  • Something only you know (e.g., a username and password, PIN)
  • Only something you have (e.g., Token, smart card)
  • Something that you only have (e.g., fingerprint, retinal scan)

Examples of adequate remote access multi-factor authentication include:

  • The remote user must enter their username and password and then enter the one-time password (OTP) sent to their smartphone.
  • The remote user must enter their username and password and then use a unique dynamic number found in the Secure coin.

The authentication mechanisms you use should be independent of each other. This is so that one factor does not require access to another. This is because if one factor is compromised, it doesn’t affect the other factor’s integrity or privacy.

Use Open Password Scan Tools

Enforcing password expirations leads to weak passwords because users often change only a few characters in their password and, as a result, do not change the password as a whole. There is a much simpler solution instead of forcing users to change their passwords every 30, 60, or 90.

Don’t ask users to change their passwords unless they realize they are using leaked passwords. You can now constantly monitor user passwords to check if their passwords have been subject to a data breach or using common passwords. Open password scanning can increase security without inconveniencing your users.

Suggest Longer Passwords Over Complexity

You must meet the length and complexity criteria in the PCI password requirements. However, when password complexity is enforced, users tend to default to behaviors such as capitalizing the first character or adding 1 to the end of the password. Hackers know this and create algorithms to crack these passwords easily.

If the password is too complex, the user can write it down or store it in an unsafe place. Additionally, research has shown that longer passwords without complexity are more robust than shorter passwords with complexity. Longer passwords with complexity will be even stronger.

Many companies now ask users to create easy-to-remember passwords, such as “the best meal is hamburger because it’s delicious, filling and delicious for me and everyone else.” Regarding what password length should be enforced, it should be a minimum of 12 to 15 characters and not a maximum. If you need to apply a maximum, it should be significantly higher than the minimum.

How to Manage Passwords Easily?

The implementation of corporate password management helps small, and large businesses keep their information intact. No matter how many employees you have, you may need help protecting the passwords that run your business.

A password manager allows you to create strong passwords and remember each one for you. However, if you choose this route, you will need to create and remember a secure password.

Trying to remember each password or using an easy-to-read pattern is where the problem begins.

This is where password managers make life more comfortable. The password manager recalls all your passwords for you as long as you can create a powerful master password that is important for you to remember.

There are three platforms that you can use specifically for password management. Each of these is a reliable option:

  • Dashlane
  • LastPass
  • KeePass

The important thing is to remember that you need to use random words for a secure password.


Indeed, passwords alone cannot protect your data very well, but you should choose the passwords you use as strong as possible. Many businesses don’t even use essential password protection shows how insecure their data can be.

Passwords will no longer be needed as technology advances, but computers and applications currently require unique, strong passwords. Companies should always check and change the default passwords developed when setting up their routers / POS systems. Many default passwords have been posted on the Internet, making it very easy for hackers to hack your computers.

See Also: PCI SSC Infographic: Strong Passwords

Surkay Baykara
Surkay Baykarahttps://www.pcidssguide.com
A passionate Senior Information Security Consultant working at Cyberwise. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Cyberwise, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

More from author

The Most Popular Cyber Risks for Students and How to Protect Yourself from Them

In the digital age, students sometimes become targets for cybercriminals. The reasons are manifold: from the vast amount of online personal information to the naive trust many young users place in digital platforms.

Common Cyber Threats in Ecommerce and How to Mitigate Them

In this article, we will delve into the issue of cybersecurity in ecommerce, describing the types of cyber threats that ecommerce businesses are confronted with and what can be done to avoid these threats.

Managing Cyber Risk in the Age of Cloud Computing

The cloud delivers game-changing capabilities but also surfaces new cyber risks requiring an evolved security perspective. However, as more sensitive data and critical systems move to the cloud, businesses must adapt their cybersecurity strategies to effectively manage emerging risks.


Comments are closed.

Related posts

Latest posts

The Most Popular Cyber Risks for Students and How to Protect Yourself from Them

In the digital age, students sometimes become targets for cybercriminals. The reasons are manifold: from the vast amount of online personal information to the naive trust many young users place in digital platforms.

Common Cyber Threats in Ecommerce and How to Mitigate Them

In this article, we will delve into the issue of cybersecurity in ecommerce, describing the types of cyber threats that ecommerce businesses are confronted with and what can be done to avoid these threats.

Managing Cyber Risk in the Age of Cloud Computing

The cloud delivers game-changing capabilities but also surfaces new cyber risks requiring an evolved security perspective. However, as more sensitive data and critical systems move to the cloud, businesses must adapt their cybersecurity strategies to effectively manage emerging risks.

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!