A Complete List of PCI Password Requirements for Businesses
PCI password requirements were established because the credit card industry recognized that more could and should be done to protect consumers’ privacy and security. Now entering its third decade of practical application, these password requirements focus on maintaining safe password generation, usage, and storage practices.
What is the PCI DSS security standard?
The payment card industry data security standard (PCI DSS) is a set of security requirements designed to ensure all companies that accept, process, store, or transmit credit card information maintain a secure environment. The standard includes what businesses must do to defend against data breaches and avoid penalties. Naturally, this includes preventing unauthorized access to company accounts by following password best practices.
- Purpose of the standard: According to the PCI mission statement, the purpose of all PCI strategic initiatives is to enhance global payment account data security by developing standards and supporting services to improve education, awareness, and effective implementation of cybersecurity initiatives. With 389,000 cases of credit card fraud reported to the Federal Trade Commission (FTC) in 2021 alone, the ongoing need for these initiatives is clear.
- History of the standard: The PCI DSS requirements were developed following the emergence of e-commerce and digital payment methods in the early 2000s. As cybercrimes related to online payments became more prevalent, major credit card brands joined forces to combat hacking, identity theft, and other malicious online activities. In 2001, these efforts culminated with the release of the first PCI DSS standard, and regular updates to the standard have continued ever since.
- PCI DSS 4.0: The latest version of the PCI DSS security standard, PCI DSS 4.0, was released in March of 2022. This new version addresses emerging security threats, promotes security as a continuous process, and clarifies guidance on existing PCI requirements. Version 4.0 requirements will remain optional until March 2025.
Want to learn more about using a password manager for your business?
What are the requirements for PCI DSS passwords?
PCI DSS password requirements for businesses that manage credit card payments mirror industry consensus and best practices for important aspects of password hygiene and include the following specifications:
- Passwords must be reset regularly: The PCI compliance password policy includes a requirement for password resets every 90 days. However, recent NIST recommendations point out the potential downside of these frequent changes—forced updates can lead to minor changes that hackers are likely to guess or passwords that are reused for convenience. Risk-mitigating activities like implementing a password manager to generate strong and complex passwords also minimize the need for mandatory updates.
- Login attempts should be limited: We’ve all guessed at forgotten or misplaced passwords occasionally, hoping to remember correctly before using up the number of allowable attempts. According to PCI password requirements, users should be allowed a reasonable number (3 to 6) of login attempts. After exceeding this quota, the person attempting to log in should either be locked out for a specified period or be required to call the IT department or system administrator to unlock the account. This PCI compliance login limit is a strong deterrent for brute-force attacks that cycle through thousands of credential combinations in an attempt to gain unauthorized account access.
- Timeout sessions must be implemented: Automatic system timeouts are required by the PCI DSS to counteract the risks stemming from a more mobile workforce. All organizations must implement automatic timeouts, although each company can set their own risk-based time limits. After exceeding the inactivity limit, users must re-enter their credentials to rejoin the network. This regulation helps to mitigate the risk of unattended devices in public settings like cafés, airports, and hotels.
- Passwords must be long and complex: Establishing long and complex passwords for all accounts is one of the best ways to thwart hacking practices like brute-force attacks. PCI password requirements specify 7 or more characters, but using at least 12 characters will improve your password strength and resistance to hacking many times over.
- A complex password includes uppercase letters, lowercase letters, numbers, and special characters in random order. It also avoids using common phrases or predictable strings like ABCD and 12345. In addition, a strong, complex password leaves out numbers or phrases that can be linked to your identity, like your name, birthdate, and phone number.
- Passwords must be unique: A unique password is one that is not reused for other accounts. Repeating passwords is common since it reduces the amount of memorization or password management you need to do. However, it also diminishes password security since multiple accounts can be impacted if the reused password is compromised.
- Sensitive data must be encrypted: PCI DSS encryption requirements make it mandatory to encrypt passwords and other sensitive data during transmission and storage, although they do not currently specify a method of encryption. Scrambling passwords through encryption makes them unreadable and unusable to hackers, which lessens the impact of a data breach. The Dashlane password manager utilizes AES 256-bit encryption, widely accepted as the strongest encryption type available, to protect your passwords and other personal information.
Want to learn how Dashlane encrypts customer data and doesn’t take shortcuts? Check out our blog post.
The benefits of using multi-factor authentication
The password hygiene best practices specified by PCI DSS password requirements help to improve cybersecurity and safeguard credit card account information. By highlighting multi-factor authentication (MFA) as well, the PCI has taken an important step toward safer online transactions. The positive attributes of MFA include:
- Providing an extra layer of security
2-factor authentication (2FA) uses a second credential, like a code delivered through an app or text, to confirm user identity. The simple premise behind 2FA recognizes that a hacker who obtains credentials illegally is unlikely to have the user’s device on hand to receive an authentication code. Multi-factor authentication uses two or more identifying factors, often incorporating advanced biometric identifiers like fingerprints or facial recognition for an additional layer of security.
- Validating identity
The concept of a universal digital identity system to positively confirm our online and in-person identity has gained momentum as verification methods improve. Combining something you know (password), something you have (device), and something you are (biometric factors like your fingerprint) produces a highly reliable and nearly failsafe identification process based on MFA. PCI DSS uses the identity assurance of MFA to protect cardholder data access.
- Securing remote working
With mobile and remote working practices becoming more common, it’s essential to verify the identity of employees logging in from locations outside the company network perimeter. MFA provides this additional layer of remote worker authentication to prevent unauthorized access if remote employee devices are lost or stolen or a remote worker uses a public WiFi network without the benefit of a VPN to protect them from hacking and data intercepts.
- Incorporating biometric factors
The biometric authentication methods, like fingerprints and facial recognition, used on many mobile devices are just the tip of the iceberg as passwordless authentication becomes the norm. Although biometric factors are frequently used as one of two or more MFA identifiers, they have the potential to eventually free users and IT teams from time-consuming password creation, storage, and protection processes.
- Complying with PCI-DSS
Simply complying with PCI-DSS requirements is reason enough for organizations handling credit card information to implement MFA, but most already recognize the benefits of this practice for themselves and their customers. The security provided by MFA has justified the decision by the PCI DSS to require it for credit card data access, since it can compensate for shortcomings in password hygiene, storage, and access controls.
How Dashlane helps secure passwords
The Dashlane Password Manager is the ideal cybersecurity solution to help you comply with PCI password requirements by leveling up password hygiene while increasing employee awareness and protection. Dashlane features complementing PCI DSS requirements include:
- Advanced password generation to ensure new or revised passwords are always long and complex.
- 2-factor authentication to provide an additional layer of security for selected accounts.
- Dark Web Monitoring to scan the hidden recesses of the internet for employee credentials and private data and alert them if their information is detected.
- Zero-knowledge architecture to ensure that no one, including Dashlane, can ever access unencrypted employee data.
- A Password Health score to track each employee’s weak, compromised, and reused passwords.
Keeping tabs on your Password Health score is the easiest way to assess and improve your password security. Learn more about how weak, reused, or compromised credentials impact your score.
- PCI Security Standards Council, “About Us,” 2023.
- Dashlane, “9 Practical Password Security Best Practices,” March 2023.
- Credit.com, “Credit Card Fraud Statistics Everyone Should Know in 2023,” March 2023.
- WEX, “What is PCI Compliance: A comprehensive guide,” January 2023.
- PCI Security Standards Council, “At a Glance: PCI DSS v4.0,” April 2022.
- Dashlane, “7 Password Hygiene Best Practices to Follow,” February 2023.
- NetSec News, “Summary of the NIST Password Recommendations,” November 2022.
- Dashlane, “Build the Case for a Password Manager in 8 Steps,” 2023.
- Dashlane, “What the Hack is a Brute Force Attack?” February 2020.
- Dashlane, “Changing Passwords: Best Practices for Remote Workers,” March 2023.
- Dashlane, “Password Management 101,” 2023.
- Dashlane, “What Is a Passphrase, and How Can I Create One?” November 2022.
- Dashlane, “How to Stop Reusing Passwords for Good,” January 2020.
- Dashlane, “What is Encryption?” March 2019.
- Dashlane, “A Complete Guide to Multifactor Authentication,” November 2022.
- Dashlane, “2-factor authentication (2FA) in Dashlane,” 2023.
- Dashlane, “Digital Identity 101: Everything You Need to Know,” April 2023.
- Dashlane, “Why Do You Need a VPN? Don’t Miss These 3 Key Benefits,” August 2020.
- Dashlane, “What is Passwordless Authentication, and Why Should You Care?” November 2022.
- Dashlane, “Trusted Personal Password Manager,” 2023.
- Dashlane, “Dark Web Monitoring: Your Employees Are Likely Using Compromised Passwords,” July 2022.
- Dashlane, “A Deep Dive into Dashlane's Zero-Knowledge Security,” 2023.
- Dashlane, “A look at Password Health Scores around the world in 2022,” 2022.
- Dashlane, “Everything You Need to Know About Your Password Health Score,” October 2020.
- Dashlane, “7 Password Hygiene Best Practices to Follow,” February 2023.
Sign up to receive news and updates about Dashlane
Thanks! You're subscribed. Be on the lookout for updates straight to your inbox.