Assessing PCI DSS Requirement 8

Assessing PCI DSS Requirement 8:

Secure Passwords for Organizations Processing Credit Card Data

Credit card information is a top target for cybercriminals in the current digital era, so it is crucial for businesses to take preventative measures to safeguard this sensitive data. To help businesses secure customer account data, the Payment Card Industry (PCI) Data Security Standard (DSS) is a thorough security standard. The eighth of the PCI DSS standard's twelve criteria, "Identify and authenticate access to system components," is one of the twelve. (PCI DSS v3.2.1, 2018). This requirement emphasizes how crucial it is to use secure passwords to guarantee that only authorised users can access system parts that store, process, or send cardholder data. We will go over how to evaluate Requirement 8 and three of its sub-requirements for a company that handles credit card data in this report.

When it comes to assessing Requirement 8: The following actions can be done to determine whether an organization complies with Requirement 8 of the PCI DSS standard:

• Step 1: Determine the organization's password strategy in step 1: The company must make sure that its strong password policy complies with PCI DSS requirements. The minimum password length, complexity requirements, and password expiration time should all be stated in the password policy.

• Step 2: Verify that each user account has a password. Each user account that has access to a system component that stores, processes, or transmits customer data must have a special password that complies with the password policy.

• Step 3: Verify that credentials aren't kept in plain text in step 3: To guarantee password security against unauthorized entry, they should be stored in an encrypted format.

To determine whether a company complies with the standard, it is necessary to evaluate each of the sub-requirements under requirement 8. Three sub-requirements will be covered in this report, along with information on how to determine whether they are in existence or not:

• (PCI DSS v3.2.1, 2018) Sub-Requirement 8.1: "Define a strong password policy": The company's password strategy should be examined to ensure that this sub-requirement is in place. The minimum password length, complexity requirements, and password expiration time should all be outlined in the policy. The consequences of breaking the regulation should be explained as well.

• (PCI DSS v3.2.1, 2018) Sub-Requirement 8.2: "Ensure password strength testing": Regular password strength testing should be done by the company to ensure that this sub-requirement is in place. Reviewing the password strategy and examining the current password usage should both be part of the testing process. To determine where there is room for improvement, use the findings.

• (PCI DSS v3.2.1, 2018) Sub-Requirement 8.3: "Protect passwords during transmission and storage": The organization should employ encryption to safeguard credentials while they are being transmitted and stored to demonstrate that this sub-requirement is in place. This can be confirmed by looking over the company's security procedures and making sure that all password-related activities are covered by cryptography.

The protection of credit card data is ultimately dependent on Requirement 8 of the PCI DSS standard. Organizations can evaluate their compliance with the requirement and its sub-requirements by taking the actions described above. Although it may be difficult to adopt and uphold a strong password policy, it is crucial for protecting customer account data and making sure the company complies with PCI DSS requirements.

References:

Document Library. (n.d.). PCI Security Standards Council. https://www.pcisecuritystandards.org/document_library/