Let’s Talk About Passwords

If there’s one thing that we know people have been waiting for, it’s finding out whether PCI DSS would finally modernise password requirements.

We are so excited to finally be able to tell you what’s coming up in the Version 4 changes for passwords (in fact, some of these changes might be so exciting that you’ll want to move to v4.0 early!)

What’s Changing?

In the biggest news, you might not have to change your password every 90 days before.

The key things that are changing with passwords are:

  • 8.3.4: Lockout attempts increases to 10 attempts
  • 8.3.6: Minimum password length increases to 12 characters (or 8 characters if 12 if not supported by the system) – but it still requires both letters and numbers.
  • 8.3.9: If passwords are the ONLY factor used, they either have to be:
    • Changed at least every 90 days, OR
    • The security posture of the accounts has to be automatically analysed and real-time access is automatically determined accordingly

What this means is that if you have multi-factor authentication on user accounts or use security tools to perform dynamic analysis of accounts access, you could be able to remove the password expiry! We know this is something that lots of people have been looking forward to and will remove many people’s compensating control worksheets!

Ready to Start Looking at Version 4?

If you’re just starting out with PCI and want to work with the newest version of the Standard or you’re keen to use version 4.0 because it matches how you are or want to do things in your environment, Confide is ready to help. Talk to us to see how we can help you.