By Jason Maiden, CISSP, PMP, PCI QSA, ISO 27001 Lead Auditor – Managing Consultant

The Payment Card Industry Data Security Standard (PCI DSS) v4.x introduced several new and enhanced security requirements, many of which became effective on March 31, 2024. However, the clock is ticking on additional future-dated requirements set to take effect on March 31, 2025. Among these, a significant portion pertains to the use and management of passwords—an area that remains a critical focal point in mitigating security threats.

 

Why Password Security Matters:

Password compromises continue to rank among the top cybersecurity threats, with attackers exploiting weaknesses such as:

  • Generic, easy-to-guess passwords.
  • Stolen credentials being traded or sold on the dark web after data breaches.
  • Password spraying attacks that test common passwords across multiple accounts.
  • The availability of sophisticated password-cracking tools that expedite unauthorized access.

To combat these risks, PCI DSS v4.x significantly strengthens its password-related requirements. Below is a summary of what your organization needs to address before the deadline.

 

Key Password-Related Requirements in PCI DSS v4.x

Requirement 8.3.6 – Password Length

The minimum password length is increasing from 7 to 12 characters (alpha-numeric). While this may seem like a big leap for users, it aligns with the recommendations of other security standards, such as the Center for Internet Security (CIS) and Microsoft, both of which advocate for a 14-character minimum. Ensure your systems and applications support this requirement to avoid compliance challenges.

 

Requirement 8.3.10.1 – Password Changes for Non-MFA Users

If your service provider customers are not using multi-factor authentication (MFA), they will now be required to change passwords every 90 days. This requirement aims to push organizations toward adopting MFA as the preferred authentication method, given its superior security over password-only systems.

 

Requirement 8.4.2 – Mandatory MFA for CDE Access (Effective March 31, 2025)

By March 2025, personnel with access to the cardholder data environment (CDE) must use multi-factor authentication. This applies to anyone with internal administrative access to systems, networks, or devices that process, store, or transmit payment card information. MFA is already recommended by leading security frameworks, and organizations should view this requirement as both a compliance obligation and a proactive security enhancement.

 

Requirement 8.5.1 – Enhanced MFA Implementation Standards

When MFA is implemented, stricter rules will apply to ensure secure authentication:

  • Simultaneous Submission of All Authentication Factors: Users must provide all required factors (e.g., password, token, biometric) at the same time, preventing sequential attacks.
  • No Feedback on Failed Authentication Attempts: Systems must not disclose which factor was incorrect during a failed login attempt. This minimizes information leakage that could help attackers refine their methods.

This approach significantly bolsters protection against sophisticated authentication attacks, ensuring only authorized personnel gain access.

 

Requirement 8.6.2 – Secure Storage of Credentials

Passwords and other credentials can no longer be stored in scripts or files. Organizations must adopt secure alternatives, such as password vaults or credential management solutions, to reduce the risk of unauthorized access and enhance credential security.

 

 

Preparing for Compliance: The Role of Targeted Risk Analysis (TRA)

Adopting these password requirements can seem daunting, but a Targeted Risk Analysis (TRA) provides a roadmap for effective implementation. Using frameworks like PCI DSS and DoCRA (Duty of Care Risk Analysis), a TRA enables organizations to:

  • Identify password-related risks.
  • Assess the potential impact of breaches.
  • Evaluate current controls against PCI DSS v4.x standards.
  • Prioritize and justify changes to password policies.
  • Demonstrate a clear duty of care in protecting cardholder data.

 

Act Now: Less Than 120 Days Remaining

The deadline for compliance with these enhanced password requirements is approaching fast. By addressing these changes now, your organization not only ensures PCI DSS compliance but also strengthens its overall security posture.

Contact HALOCK Security Labs today to learn how we can help you achieve PCI DSS v4.x compliance, establish reasonable security practices, and mitigate the risks associated with weak password management.