At the end of 2004, five major credit card companies—American Express, Discover, JCB, Mastercard, and Visa—joined together to create the Payment Card Industry Data Security Standard (PCI DSS) in an effort to curb data fraud in the finance sector. Any organization that wants to process, store, or transmit credit card data must ensure they comply with the mandated PCI DSS password policy requirements.
To be PCI DSS compliant, organizations must enforce the password policy requirements mentioned in section 8 of the PCI DSS v4.0.
The following table explains the password policy requirements found in the PCI DSS v4.0 and how ADSelfService Plus helps your organization comply with them.
PCI DSS requirement | Requirement description | How ADSelfService Plus helps meet the requirement |
Section 2.2.2 | The default vendor-supplied passwords or passphrases are not allowed and must be changed. | ADSelfService Plus allows you to mandate users to change their passwords after an automatic or admin-performed password reset or account unlock action. |
Section 8.3.3 | User identity is verified before modifying any authentication factor. | ADSelfService Plus ensures that identity verification is performed before allowing users to modify any of the configured authentication factors. |
Section 8.3.4 | The allowed number of failed logon attempts must be limited to 10. If a user gets locked out of their account, their account should remain locked for 30 minutes or until a system administrator resets their account. | ADSelfService Plus allows you to configure the number of failed logon attempts that are allowed for a user within a specified time and the lockout duration. |
Section 8.3.5 | In scenarios where a password is generated for a new user or during password reset, the generated password must be unique for every user and must be changed after the first use. | When automatic password reset is enabled, ADSelfService Plus generates unique passwords for users that are compliant with the configured password policy rules. It also mandates that users change their passwords after the first use. |
Section 8.3.6 | A password must have a minimum of 12 characters. If the system does not support 12 characters, a minimum length of 8 characters must be used. | With ADSelfService Plus, you can customize the minimum password length to be 12 characters or more, depending on your requirement. You can also customize the maximum password length as needed. |
Section 8.3.6 | Passwords must contain both numeric and alphabetic characters. | ADSelfService Plus allows you to configure the number of upper case, lower case, numeric, special, and unicode characters that users must include in their passwords. |
Section 8.3.7 | Newly created passwords must not be the same as any of the last four passwords. | ADSelfService Plus allows you to specify the number of previous passwords that a user cannot repeat while choosing a new password. |
Section 8.3.7 | A previously used password cannot be used to gain access to an account for at least 12 months. | ADSelfService Plus allows you to restrict a custom number of previously used passwords during password reset. |
Section 8.3.10.1 | Passwords must be changed at least once every 90 days. | ADSelfService Plus provides customizable password expiration notifications that can be scheduled to remind users about their impending password expiration every 90 days. ADSelfService Plus also provides a web portal that enables users to change their passwords anytime, regardless of their location or connection to the corporate network. |
Section 8.3.11 | When authentication factors such as physical or logical security tokens, smart cards, or certificates are used, they must be assigned to an individual user and not be shared among multiple users. | ADSelfService Plus assigns authentication factors, like security tokens, smart cards, and certificates, uniquely to individual users and prohibits their sharing among multiple users. |
Section 8.4.2 | MFA must be implemented to secure access to the cardholder data environment (CDE). | ADSelfService Plus provides adaptive MFA with 20 different authentication factors to secure organizational resources, such as machines, applications, VPNs, OWA, and RDPs. |
Section 8.4.3 | For remote access, MFA must be implemented either at the system, application, or network level. | ADSelfService Plus provides MFA for remote access sessions, which can be applied either at the client or target machine level. |
Section 8.5.1 | The MFA system implemented should not be susceptible to replay attacks. It should not be bypassed by any user, including administrative users, unless specifically documented or authorized by management on an exception basis, for a limited time. | ADSelfService Plus provides FIDO2 authentication, which is resistant to replay, phishing, and manipulator-in-the-middle attacks. ADSelfService Plus also mandates MFA for all configured users. However, using conditional access policies, the MFA methods presented to users can be customized or even bypassed based on the conditions configured. |
Section 8.5.1 | At least two different types of authentication factors must be used, and the success of all authentication factors is required before access is granted. | ADSelfService Plus allows you to configure two or more MFA factors to secure resources, and the success of all factors is mandatory before access is granted. |
Section 8.6.3 | Password change frequency and password complexity must vary based on the risk levels of user identities. | With ADSelfService Plus, you can allocate policies of varying complexities to users belonging to different OUs and groups. This way, stringent password policy rules with imperative password expiration notifications can be enforced specifically for high-risk users, i.e., users having access to sensitive organizational resources. |
These PCI DSS password requirements address password complexity and strength only on a basic level so they can accommodate the variation in technologies between businesses. The PCI DSS also allows companies to implement relevant password requirements specified by the NIST SP 800-63B.
ADSelfService Plus provides custom password policies that meet all the PCI DSS requirements and can be enforced for all or specific AD users based on their domain, OU, or group membership. With its adaptive MFA techniques, ADSelfService Plus ensures your organizational identities are effectively secured for a comprehensive Zero Trust environment.
Satisfy the PCI DSS Requirement 8.3.6 by configuring the minimum password length and the inclusion of alpha-numeric characters in passwords.
Satisfy the PCI DSS Requirement 8.3.7 by restricting users from reusing any of their last four passwords during password creation.
Choose the minimum number of complexity requirements your users' passwords should satisfy as per your organization's security needs.
Satisfy the PCI DSS Requirement 8.3.6 by configuring the minimum password length and the inclusion of alpha-numeric characters in passwords.
Satisfy the PCI DSS Requirement 8.3.7 by restricting users from reusing any of their last four passwords during password creation.
Choose the minimum number of complexity requirements your users' passwords should satisfy as per your organization's security needs.
Satisfy the PCI DSS Requirement 8.4.2 by securing all endpoints in your network using MFA.
Choose from 20 different authenticators to verify your users' identities.
Satisfy the PCI DSS Requirement 8.4.2 by securing all endpoints in your network using MFA.
Choose from 20 different authenticators to verify your users' identities.
Free Active Directory users from attending lengthy help desk calls by allowing them to self-service their password resets/ account unlock tasks. Hassle-free password change for Active Directory users with ADSelfService Plus ‘Change Password’ console.
Get seamless one-click access to 100+ cloud applications. With enterprise single sign-on, users can access all their cloud applications with their Active Directory credentials. Thanks to ADSelfService Plus!
Intimate Active Directory users of their impending password/account expiry by mailing them these password/account expiry notifications.
Synchronize Windows Active Directory user password/account changes across multiple systems, automatically, including Office 365, G Suite, IBM iSeries and more.
Ensure strong user passwords that resist various hacking threats with ADSelfService Plus by enforcing Active Directory users to adhere to compliant passwords via displaying password complexity requirements.
Portal that lets Active Directory users update their latest information and a quick search facility to scout for information about peers by using search keys, like contact number, of the personality being searched.