PCI Compliance: Not a Password Security Guarantee

Written by

The UK is the third largest e-commerce market in the world with more than half of its sales online. Online (remote purchase) fraud against UK retailers totaled an estimated £265.1m in 2018, a 29% from the previous year, and a report confirmed that social engineering and data breaches were a major contributor to the losses. 

To reduce the risk of payment fraud and increase data security, organizations who accept or process payment cards must comply with the Payment Card Industry Data Security Standard (PCI DSS). The PCI Standard was developed to protect card information during and following a financial transaction. While compliance with PCI is not required by law in the UK, non-compliance can result in large penalties and revocation of your rights to process credit card transactions. Also, since PCI applies to a subset of data GDPR encompasses, a breach that violates PCI compliance also violates the GDPR, which will continue to be in full effect until the end of 2020 and likely be incorporated into UK laws after the Brexit transition period is over.  

What Are the PCI Password Requirements?

Hackers can break into your network using default, common or leaked passwords. To protect your organization against password-related threats, the PCI requires that passwords:

  • Must be at least seven characters long
  • Must contain both numeric and alphabetic characters
  • Must expire every 90 days
  • Must be different from previous passwords
  • Must not use vendor-supplied defaults for system passwords and other security parameters

Will following these requirements make a password strong? An analysis of 5000 PCI compliant passwords showed that a majority of them contained words similar to usernames, dictionary words and keyboard patterns. This means they were still vulnerable to the multitude of password attacks out there – rainbow tables, brute force, dictionary attacks – and not to mention they can be easily guessed and socially engineered.

Besides the complexity requirement, password expiry is another sticking point as PCI still imposes it whereas NCSC and Cyber Essentials believe forcing password changes encourages poor password choices. When having to create and recall complex passwords so often, users resort to using predictable patterns and recording them via insecure methods which create new vulnerabilities. To provide the proper level of protection, it is recommended that organizations go above and beyond the PCI compliance password requirements.

Exceeding PCI Password Requirements

If you are looking to comply with PCI, you will have to follow their password requirements for the time being until it adopts a new password philosophy more aligned with that of NCSC. However, you can add those additional controls to strengthen your defenses:

Use a Password Blacklist

User-generated passwords have their limitations but you can minimize your exposure by checking user passwords against a compromised password list. You can use NCSC’s top 100,000 most hacked passwords or create your own password blacklist using online sources. If you’re looking for a more comprehensive list,  without having to compile your own, use a third party password filtering service that includes billions of compromised passwords and is continuously updated with the latest leaked passwords.

Monitor User Passwords

If you currently don’t have a mechanism in place to check against compromised passwords, an important first step is to find out how big your problem is. Usethis free password auditing tool to scan Active Directory and find out which accounts are using weak or blacklisted passwords. Other available insights include:

  • Accounts with expired passwords
  • Accounts with password expiration approaching
  • Accounts using identical passwords
  • Accounts not requiring passwords
  • Accounts without a minimum password length requirement
  • Stale/inactive admin accounts

Additionally, the tool shows how your current password policy compares to other industry and compliance recommendations such as NCSC and PCI. Click here for free download.

What’s hot on Infosecurity Magazine?