Requirement 8.1.1 is about effectively managing and maintaining the various policies and procedures specified throughout Requirement 8. While it is important to define the specific policies or procedures called out in Requirement 8, it is equally important to ensure they are properly documented, maintained, and disseminated.
It is important to update policies and procedures as needed to address changes in processes, technologies, and business objectives. For these reasons, consider updating these documents as soon as possible after a change occurs and not only on a periodic cycle.
Security policies define the entity's security objectives and principles. Operational procedures describe how to perform activities, and define the controls, methods, and processes that are followed to achieve the desired result in a consistent manner and in accordance with policy objectives.
If roles and responsibilities are not formally assigned, personnel may not be aware of their day-to-day responsibilities and critical activities may not occur.
Roles and responsibilities may be documented within policies and procedures or maintained within separate documents. As part of communicating roles and responsibilities, entities can consider having personnel acknowledge their acceptance and understanding of their assigned roles and responsibilities.
A method to document roles and responsibilities is a responsibility assignment matrix that includes who is responsible, accountable, consulted, and informed (also called a RACI matrix).
Requirement 8.1.1 is about effectively managing and maintaining the various policies and procedures specified throughout Requirement 8. While it is important to define the specific policies or procedures called out in Requirement 8, it is equally important to ensure they are properly documented, maintained, and disseminated.
It is important to update policies and procedures as needed to address changes in processes, technologies, and business objectives. For these reasons, consider updating these documents as soon as possible after a change occurs and not only on a periodic cycle.
Security policies define the entity's security objectives and principles. Operational procedures describe how to perform activities, and define the controls, methods, and processes that are followed to achieve the desired result in a consistent manner and in accordance with policy objectives.
If roles and responsibilities are not formally assigned, personnel may not be aware of their day-to-day responsibilities and critical activities may not occur.
Roles and responsibilities may be documented within policies and procedures or maintained within separate documents. As part of communicating roles and responsibilities, entities can consider having personnel acknowledge their acceptance and understanding of their assigned roles and responsibilities.
A method to document roles and responsibilities is a responsibility assignment matrix that includes who is responsible, accountable, consulted, and informed (also called a RACI matrix).
Unique IDs ensure that actions on critical data and systems can be traced to known and authorized users. Without unique identification, it becomes impossible to determine who performed a particular action, undermining accountability.
Every user should be assigned a unique ID before being granted access. Generic or shared IDs should not be used. The unique ID should be used for all authentication and access logging purposes.
Group, shared, or generic accounts make it impossible to trace actions to specific individuals. If a shared account is compromised, there is no way to determine which individual's credentials were stolen or misused.
If shared accounts are absolutely necessary for a specific business reason, they should be managed with controls that include unique identification of each individual using the account and should be used only as an exception, not as standard practice.
Service providers face heightened risks from shared or generic accounts because multiple clients' data may be accessible. Ensuring unique authentication for each client connection helps prevent unauthorized cross-client access.
Service providers should implement unique authentication credentials for each client connection and should not use shared or generic credentials across multiple client environments.
Proper lifecycle management of user accounts ensures that accounts are created, modified, and removed in a controlled manner. Without lifecycle management, orphaned accounts may persist and be exploited by attackers.
A formal process should be in place for all account lifecycle events, including creation, modification, suspension, and removal. Accounts should be promptly disabled or removed when users leave the organization or no longer need access.
Accounts of terminated users that remain active can be exploited by the former user or by an attacker who discovers the credentials. Revoking access promptly upon termination reduces this risk.
Access should be revoked immediately upon termination. A process should be in place to ensure that all accounts and access rights are identified and disabled. This includes physical and logical access to all systems and facilities.
Inactive accounts that remain enabled provide an opportunity for attackers to use the accounts without detection. Removing or disabling inactive accounts reduces the number of potential attack vectors.
Accounts that have been inactive for 90 days should be automatically disabled or removed. A process should be in place to regularly identify and manage inactive accounts.
Third-party accounts used for system access, maintenance, or support can provide a pathway for unauthorized access if not properly managed. Managing these accounts ensures that access is controlled and monitored.
Third-party accounts should only be enabled during the time period needed and disabled when not in use. All third-party access should be monitored, and the accounts should use unique credentials and multi-factor authentication.
If a user session remains active after a period of inactivity, an unauthorized individual could potentially use the session to access systems or data. Terminating idle sessions helps prevent this type of unauthorized access.
System or session idle time-out features should be set to 15 minutes or less. Users should be required to re-authenticate to reactivate the terminal or session.
Unique IDs ensure that actions on critical data and systems can be traced to known and authorized users. Without unique identification, it becomes impossible to determine who performed a particular action, undermining accountability.
Every user should be assigned a unique ID before being granted access. Generic or shared IDs should not be used. The unique ID should be used for all authentication and access logging purposes.
Group, shared, or generic accounts make it impossible to trace actions to specific individuals. If a shared account is compromised, there is no way to determine which individual's credentials were stolen or misused.
If shared accounts are absolutely necessary for a specific business reason, they should be managed with controls that include unique identification of each individual using the account and should be used only as an exception, not as standard practice.
Service providers face heightened risks from shared or generic accounts because multiple clients' data may be accessible. Ensuring unique authentication for each client connection helps prevent unauthorized cross-client access.
Service providers should implement unique authentication credentials for each client connection and should not use shared or generic credentials across multiple client environments.
Proper lifecycle management of user accounts ensures that accounts are created, modified, and removed in a controlled manner. Without lifecycle management, orphaned accounts may persist and be exploited by attackers.
A formal process should be in place for all account lifecycle events, including creation, modification, suspension, and removal. Accounts should be promptly disabled or removed when users leave the organization or no longer need access.
Accounts of terminated users that remain active can be exploited by the former user or by an attacker who discovers the credentials. Revoking access promptly upon termination reduces this risk.
Access should be revoked immediately upon termination. A process should be in place to ensure that all accounts and access rights are identified and disabled. This includes physical and logical access to all systems and facilities.
Inactive accounts that remain enabled provide an opportunity for attackers to use the accounts without detection. Removing or disabling inactive accounts reduces the number of potential attack vectors.
Accounts that have been inactive for 90 days should be automatically disabled or removed. A process should be in place to regularly identify and manage inactive accounts.
Third-party accounts used for system access, maintenance, or support can provide a pathway for unauthorized access if not properly managed. Managing these accounts ensures that access is controlled and monitored.
Third-party accounts should only be enabled during the time period needed and disabled when not in use. All third-party access should be monitored, and the accounts should use unique credentials and multi-factor authentication.
If a user session remains active after a period of inactivity, an unauthorized individual could potentially use the session to access systems or data. Terminating idle sessions helps prevent this type of unauthorized access.
System or session idle time-out features should be set to 15 minutes or less. Users should be required to re-authenticate to reactivate the terminal or session.
Unique IDs ensure that actions on critical data and systems can be traced to known and authorized users. Without unique identification, it becomes impossible to determine who performed a particular action, undermining accountability.
Every user should be assigned a unique ID before being granted access. Generic or shared IDs should not be used. The unique ID should be used for all authentication and access logging purposes.
Group, shared, or generic accounts make it impossible to trace actions to specific individuals. If a shared account is compromised, there is no way to determine which individual's credentials were stolen or misused.
If shared accounts are absolutely necessary for a specific business reason, they should be managed with controls that include unique identification of each individual using the account and should be used only as an exception, not as standard practice.
Service providers face heightened risks from shared or generic accounts because multiple clients' data may be accessible. Ensuring unique authentication for each client connection helps prevent unauthorized cross-client access.
Service providers should implement unique authentication credentials for each client connection and should not use shared or generic credentials across multiple client environments.
Proper lifecycle management of user accounts ensures that accounts are created, modified, and removed in a controlled manner. Without lifecycle management, orphaned accounts may persist and be exploited by attackers.
A formal process should be in place for all account lifecycle events, including creation, modification, suspension, and removal. Accounts should be promptly disabled or removed when users leave the organization or no longer need access.
Accounts of terminated users that remain active can be exploited by the former user or by an attacker who discovers the credentials. Revoking access promptly upon termination reduces this risk.
Access should be revoked immediately upon termination. A process should be in place to ensure that all accounts and access rights are identified and disabled. This includes physical and logical access to all systems and facilities.
Inactive accounts that remain enabled provide an opportunity for attackers to use the accounts without detection. Removing or disabling inactive accounts reduces the number of potential attack vectors.
Accounts that have been inactive for 90 days should be automatically disabled or removed. A process should be in place to regularly identify and manage inactive accounts.
Third-party accounts used for system access, maintenance, or support can provide a pathway for unauthorized access if not properly managed. Managing these accounts ensures that access is controlled and monitored.
Third-party accounts should only be enabled during the time period needed and disabled when not in use. All third-party access should be monitored, and the accounts should use unique credentials and multi-factor authentication.
If a user session remains active after a period of inactivity, an unauthorized individual could potentially use the session to access systems or data. Terminating idle sessions helps prevent this type of unauthorized access.
System or session idle time-out features should be set to 15 minutes or less. Users should be required to re-authenticate to reactivate the terminal or session.
Unique IDs ensure that actions on critical data and systems can be traced to known and authorized users. Without unique identification, it becomes impossible to determine who performed a particular action, undermining accountability.
Every user should be assigned a unique ID before being granted access. Generic or shared IDs should not be used. The unique ID should be used for all authentication and access logging purposes.
Group, shared, or generic accounts make it impossible to trace actions to specific individuals. If a shared account is compromised, there is no way to determine which individual's credentials were stolen or misused.
If shared accounts are absolutely necessary for a specific business reason, they should be managed with controls that include unique identification of each individual using the account and should be used only as an exception, not as standard practice.
Service providers face heightened risks from shared or generic accounts because multiple clients' data may be accessible. Ensuring unique authentication for each client connection helps prevent unauthorized cross-client access.
Service providers should implement unique authentication credentials for each client connection and should not use shared or generic credentials across multiple client environments.
Proper lifecycle management of user accounts ensures that accounts are created, modified, and removed in a controlled manner. Without lifecycle management, orphaned accounts may persist and be exploited by attackers.
A formal process should be in place for all account lifecycle events, including creation, modification, suspension, and removal. Accounts should be promptly disabled or removed when users leave the organization or no longer need access.
Accounts of terminated users that remain active can be exploited by the former user or by an attacker who discovers the credentials. Revoking access promptly upon termination reduces this risk.
Access should be revoked immediately upon termination. A process should be in place to ensure that all accounts and access rights are identified and disabled. This includes physical and logical access to all systems and facilities.
Inactive accounts that remain enabled provide an opportunity for attackers to use the accounts without detection. Removing or disabling inactive accounts reduces the number of potential attack vectors.
Accounts that have been inactive for 90 days should be automatically disabled or removed. A process should be in place to regularly identify and manage inactive accounts.
Third-party accounts used for system access, maintenance, or support can provide a pathway for unauthorized access if not properly managed. Managing these accounts ensures that access is controlled and monitored.
Third-party accounts should only be enabled during the time period needed and disabled when not in use. All third-party access should be monitored, and the accounts should use unique credentials and multi-factor authentication.
If a user session remains active after a period of inactivity, an unauthorized individual could potentially use the session to access systems or data. Terminating idle sessions helps prevent this type of unauthorized access.
System or session idle time-out features should be set to 15 minutes or less. Users should be required to re-authenticate to reactivate the terminal or session.
Unique IDs ensure that actions on critical data and systems can be traced to known and authorized users. Without unique identification, it becomes impossible to determine who performed a particular action, undermining accountability.
Every user should be assigned a unique ID before being granted access. Generic or shared IDs should not be used. The unique ID should be used for all authentication and access logging purposes.
Group, shared, or generic accounts make it impossible to trace actions to specific individuals. If a shared account is compromised, there is no way to determine which individual's credentials were stolen or misused.
If shared accounts are absolutely necessary for a specific business reason, they should be managed with controls that include unique identification of each individual using the account and should be used only as an exception, not as standard practice.
Service providers face heightened risks from shared or generic accounts because multiple clients' data may be accessible. Ensuring unique authentication for each client connection helps prevent unauthorized cross-client access.
Service providers should implement unique authentication credentials for each client connection and should not use shared or generic credentials across multiple client environments.
Proper lifecycle management of user accounts ensures that accounts are created, modified, and removed in a controlled manner. Without lifecycle management, orphaned accounts may persist and be exploited by attackers.
A formal process should be in place for all account lifecycle events, including creation, modification, suspension, and removal. Accounts should be promptly disabled or removed when users leave the organization or no longer need access.
Accounts of terminated users that remain active can be exploited by the former user or by an attacker who discovers the credentials. Revoking access promptly upon termination reduces this risk.
Access should be revoked immediately upon termination. A process should be in place to ensure that all accounts and access rights are identified and disabled. This includes physical and logical access to all systems and facilities.
Inactive accounts that remain enabled provide an opportunity for attackers to use the accounts without detection. Removing or disabling inactive accounts reduces the number of potential attack vectors.
Accounts that have been inactive for 90 days should be automatically disabled or removed. A process should be in place to regularly identify and manage inactive accounts.
Third-party accounts used for system access, maintenance, or support can provide a pathway for unauthorized access if not properly managed. Managing these accounts ensures that access is controlled and monitored.
Third-party accounts should only be enabled during the time period needed and disabled when not in use. All third-party access should be monitored, and the accounts should use unique credentials and multi-factor authentication.
If a user session remains active after a period of inactivity, an unauthorized individual could potentially use the session to access systems or data. Terminating idle sessions helps prevent this type of unauthorized access.
System or session idle time-out features should be set to 15 minutes or less. Users should be required to re-authenticate to reactivate the terminal or session.
Unique IDs ensure that actions on critical data and systems can be traced to known and authorized users. Without unique identification, it becomes impossible to determine who performed a particular action, undermining accountability.
Every user should be assigned a unique ID before being granted access. Generic or shared IDs should not be used. The unique ID should be used for all authentication and access logging purposes.
Group, shared, or generic accounts make it impossible to trace actions to specific individuals. If a shared account is compromised, there is no way to determine which individual's credentials were stolen or misused.
If shared accounts are absolutely necessary for a specific business reason, they should be managed with controls that include unique identification of each individual using the account and should be used only as an exception, not as standard practice.
Service providers face heightened risks from shared or generic accounts because multiple clients' data may be accessible. Ensuring unique authentication for each client connection helps prevent unauthorized cross-client access.
Service providers should implement unique authentication credentials for each client connection and should not use shared or generic credentials across multiple client environments.
Proper lifecycle management of user accounts ensures that accounts are created, modified, and removed in a controlled manner. Without lifecycle management, orphaned accounts may persist and be exploited by attackers.
A formal process should be in place for all account lifecycle events, including creation, modification, suspension, and removal. Accounts should be promptly disabled or removed when users leave the organization or no longer need access.
Accounts of terminated users that remain active can be exploited by the former user or by an attacker who discovers the credentials. Revoking access promptly upon termination reduces this risk.
Access should be revoked immediately upon termination. A process should be in place to ensure that all accounts and access rights are identified and disabled. This includes physical and logical access to all systems and facilities.
Inactive accounts that remain enabled provide an opportunity for attackers to use the accounts without detection. Removing or disabling inactive accounts reduces the number of potential attack vectors.
Accounts that have been inactive for 90 days should be automatically disabled or removed. A process should be in place to regularly identify and manage inactive accounts.
Third-party accounts used for system access, maintenance, or support can provide a pathway for unauthorized access if not properly managed. Managing these accounts ensures that access is controlled and monitored.
Third-party accounts should only be enabled during the time period needed and disabled when not in use. All third-party access should be monitored, and the accounts should use unique credentials and multi-factor authentication.
If a user session remains active after a period of inactivity, an unauthorized individual could potentially use the session to access systems or data. Terminating idle sessions helps prevent this type of unauthorized access.
System or session idle time-out features should be set to 15 minutes or less. Users should be required to re-authenticate to reactivate the terminal or session.
Unique IDs ensure that actions on critical data and systems can be traced to known and authorized users. Without unique identification, it becomes impossible to determine who performed a particular action, undermining accountability.
Every user should be assigned a unique ID before being granted access. Generic or shared IDs should not be used. The unique ID should be used for all authentication and access logging purposes.
Group, shared, or generic accounts make it impossible to trace actions to specific individuals. If a shared account is compromised, there is no way to determine which individual's credentials were stolen or misused.
If shared accounts are absolutely necessary for a specific business reason, they should be managed with controls that include unique identification of each individual using the account and should be used only as an exception, not as standard practice.
Service providers face heightened risks from shared or generic accounts because multiple clients' data may be accessible. Ensuring unique authentication for each client connection helps prevent unauthorized cross-client access.
Service providers should implement unique authentication credentials for each client connection and should not use shared or generic credentials across multiple client environments.
Proper lifecycle management of user accounts ensures that accounts are created, modified, and removed in a controlled manner. Without lifecycle management, orphaned accounts may persist and be exploited by attackers.
A formal process should be in place for all account lifecycle events, including creation, modification, suspension, and removal. Accounts should be promptly disabled or removed when users leave the organization or no longer need access.
Accounts of terminated users that remain active can be exploited by the former user or by an attacker who discovers the credentials. Revoking access promptly upon termination reduces this risk.
Access should be revoked immediately upon termination. A process should be in place to ensure that all accounts and access rights are identified and disabled. This includes physical and logical access to all systems and facilities.
Inactive accounts that remain enabled provide an opportunity for attackers to use the accounts without detection. Removing or disabling inactive accounts reduces the number of potential attack vectors.
Accounts that have been inactive for 90 days should be automatically disabled or removed. A process should be in place to regularly identify and manage inactive accounts.
Third-party accounts used for system access, maintenance, or support can provide a pathway for unauthorized access if not properly managed. Managing these accounts ensures that access is controlled and monitored.
Third-party accounts should only be enabled during the time period needed and disabled when not in use. All third-party access should be monitored, and the accounts should use unique credentials and multi-factor authentication.
If a user session remains active after a period of inactivity, an unauthorized individual could potentially use the session to access systems or data. Terminating idle sessions helps prevent this type of unauthorized access.
System or session idle time-out features should be set to 15 minutes or less. Users should be required to re-authenticate to reactivate the terminal or session.
Unique IDs ensure that actions on critical data and systems can be traced to known and authorized users. Without unique identification, it becomes impossible to determine who performed a particular action, undermining accountability.
Every user should be assigned a unique ID before being granted access. Generic or shared IDs should not be used. The unique ID should be used for all authentication and access logging purposes.
Group, shared, or generic accounts make it impossible to trace actions to specific individuals. If a shared account is compromised, there is no way to determine which individual's credentials were stolen or misused.
If shared accounts are absolutely necessary for a specific business reason, they should be managed with controls that include unique identification of each individual using the account and should be used only as an exception, not as standard practice.
Service providers face heightened risks from shared or generic accounts because multiple clients' data may be accessible. Ensuring unique authentication for each client connection helps prevent unauthorized cross-client access.
Service providers should implement unique authentication credentials for each client connection and should not use shared or generic credentials across multiple client environments.
Proper lifecycle management of user accounts ensures that accounts are created, modified, and removed in a controlled manner. Without lifecycle management, orphaned accounts may persist and be exploited by attackers.
A formal process should be in place for all account lifecycle events, including creation, modification, suspension, and removal. Accounts should be promptly disabled or removed when users leave the organization or no longer need access.
Accounts of terminated users that remain active can be exploited by the former user or by an attacker who discovers the credentials. Revoking access promptly upon termination reduces this risk.
Access should be revoked immediately upon termination. A process should be in place to ensure that all accounts and access rights are identified and disabled. This includes physical and logical access to all systems and facilities.
Inactive accounts that remain enabled provide an opportunity for attackers to use the accounts without detection. Removing or disabling inactive accounts reduces the number of potential attack vectors.
Accounts that have been inactive for 90 days should be automatically disabled or removed. A process should be in place to regularly identify and manage inactive accounts.
Third-party accounts used for system access, maintenance, or support can provide a pathway for unauthorized access if not properly managed. Managing these accounts ensures that access is controlled and monitored.
Third-party accounts should only be enabled during the time period needed and disabled when not in use. All third-party access should be monitored, and the accounts should use unique credentials and multi-factor authentication.
If a user session remains active after a period of inactivity, an unauthorized individual could potentially use the session to access systems or data. Terminating idle sessions helps prevent this type of unauthorized access.
System or session idle time-out features should be set to 15 minutes or less. Users should be required to re-authenticate to reactivate the terminal or session.
Authentication using at least one factor helps verify the identity of users before granting access to system components or cardholder data. Without authentication, there is no way to verify that the person requesting access is who they claim to be.
All access attempts should require authentication with at least one factor. The authentication mechanism used should be appropriate for the sensitivity of the systems and data being accessed.
Authentication factors include something you know (passwords, passphrases), something you have (tokens, smart cards), and something you are (biometrics).
Strong cryptography should be used to render all authentication factors unreadable during transmission and storage. If authentication factors are intercepted or accessed in cleartext, they could be used by an attacker to gain unauthorized access.
All authentication factors should be encrypted during transmission using strong cryptographic protocols. Stored authentication factors should be rendered unreadable using strong one-way hashing with a unique salt for each credential.
Using valid user IDs during authentication ensures that actions can be traced to identified individuals and that authentication is tied to a specific, known user. This is fundamental to maintaining accountability.
Authentication systems should verify both the user identity and the authentication factor. Failed authentication attempts should be logged with the user ID attempted, for security monitoring purposes.
Weak passwords can be easily guessed or cracked by attackers. Invalid authentication attempts that go unchecked allow attackers unlimited opportunities to guess credentials. Limiting invalid attempts and locking out accounts helps prevent brute-force attacks.
Accounts should be locked out after no more than 10 invalid authentication attempts. The lockout duration should be at least 30 minutes or until an administrator resets the account.
If passwords or passphrases are used as authentication factors, they must be sufficiently complex to resist guessing and brute-force attacks. Weak passwords are one of the most common causes of unauthorized access.
Passwords should be at least 12 characters long (or if the system does not support 12, at least 8 characters) and should contain both numeric and alphabetic characters. Passwords should not be easily guessable.
Requiring passwords to be changed periodically limits the time that a compromised password can be used by an attacker. Regular password changes reduce the risk of ongoing unauthorized access.
Passwords should be changed at least once every 90 days. Users should be prompted to change their passwords and should not be able to reuse recent passwords.
If new passwords can be the same as recently used passwords, the effectiveness of password changes is diminished. Password history enforcement ensures that users select genuinely new passwords.
Systems should enforce a password history of at least the last four passwords, preventing users from reusing any of these previous passwords.
Security awareness about authentication mechanisms helps users understand the importance of protecting their credentials and the risks associated with poor password practices.
Users should be educated about the importance of strong, unique passwords, the risks of sharing credentials, and how to recognize social engineering attempts targeting their credentials.
Using the same password for multiple accounts means that if one account is compromised, all accounts using that password are at risk. Unique passwords for each account limit the impact of a single credential compromise.
Users should be required to use unique passwords for each system or application. Password management tools can help users maintain unique, complex passwords for multiple accounts.
Multi-factor authentication (MFA) provides an additional layer of security beyond passwords. Even if a password is compromised, the attacker would still need the additional authentication factor(s) to gain access.
MFA should be implemented for all non-console administrative access. The authentication factors used should be from different categories (something you know, have, or are). Independence of the factors is important for security.
For non-console administrative access to the CDE, MFA provides critical protection against unauthorized access. Administrative accounts have elevated privileges that make them high-value targets for attackers.
MFA should be required for all non-console administrative access into the CDE. The MFA solution should use independent authentication factors and should be resistant to replay attacks.
Physical and logical security tokens, smart cards, and other authentication devices can be compromised if not properly managed. Ensuring the physical security and integrity of these devices helps maintain the strength of the authentication process.
Authentication devices should be assigned to individual users and should not be shared. Lost or stolen devices should be reported immediately and deactivated. Devices should be protected against unauthorized modification or cloning.
Authentication using at least one factor helps verify the identity of users before granting access to system components or cardholder data. Without authentication, there is no way to verify that the person requesting access is who they claim to be.
All access attempts should require authentication with at least one factor. The authentication mechanism used should be appropriate for the sensitivity of the systems and data being accessed.
Authentication factors include something you know (passwords, passphrases), something you have (tokens, smart cards), and something you are (biometrics).
Strong cryptography should be used to render all authentication factors unreadable during transmission and storage. If authentication factors are intercepted or accessed in cleartext, they could be used by an attacker to gain unauthorized access.
All authentication factors should be encrypted during transmission using strong cryptographic protocols. Stored authentication factors should be rendered unreadable using strong one-way hashing with a unique salt for each credential.
Using valid user IDs during authentication ensures that actions can be traced to identified individuals and that authentication is tied to a specific, known user. This is fundamental to maintaining accountability.
Authentication systems should verify both the user identity and the authentication factor. Failed authentication attempts should be logged with the user ID attempted, for security monitoring purposes.
Weak passwords can be easily guessed or cracked by attackers. Invalid authentication attempts that go unchecked allow attackers unlimited opportunities to guess credentials. Limiting invalid attempts and locking out accounts helps prevent brute-force attacks.
Accounts should be locked out after no more than 10 invalid authentication attempts. The lockout duration should be at least 30 minutes or until an administrator resets the account.
If passwords or passphrases are used as authentication factors, they must be sufficiently complex to resist guessing and brute-force attacks. Weak passwords are one of the most common causes of unauthorized access.
Passwords should be at least 12 characters long (or if the system does not support 12, at least 8 characters) and should contain both numeric and alphabetic characters. Passwords should not be easily guessable.
Requiring passwords to be changed periodically limits the time that a compromised password can be used by an attacker. Regular password changes reduce the risk of ongoing unauthorized access.
Passwords should be changed at least once every 90 days. Users should be prompted to change their passwords and should not be able to reuse recent passwords.
If new passwords can be the same as recently used passwords, the effectiveness of password changes is diminished. Password history enforcement ensures that users select genuinely new passwords.
Systems should enforce a password history of at least the last four passwords, preventing users from reusing any of these previous passwords.
Security awareness about authentication mechanisms helps users understand the importance of protecting their credentials and the risks associated with poor password practices.
Users should be educated about the importance of strong, unique passwords, the risks of sharing credentials, and how to recognize social engineering attempts targeting their credentials.
Using the same password for multiple accounts means that if one account is compromised, all accounts using that password are at risk. Unique passwords for each account limit the impact of a single credential compromise.
Users should be required to use unique passwords for each system or application. Password management tools can help users maintain unique, complex passwords for multiple accounts.
Multi-factor authentication (MFA) provides an additional layer of security beyond passwords. Even if a password is compromised, the attacker would still need the additional authentication factor(s) to gain access.
MFA should be implemented for all non-console administrative access. The authentication factors used should be from different categories (something you know, have, or are). Independence of the factors is important for security.
For non-console administrative access to the CDE, MFA provides critical protection against unauthorized access. Administrative accounts have elevated privileges that make them high-value targets for attackers.
MFA should be required for all non-console administrative access into the CDE. The MFA solution should use independent authentication factors and should be resistant to replay attacks.
Physical and logical security tokens, smart cards, and other authentication devices can be compromised if not properly managed. Ensuring the physical security and integrity of these devices helps maintain the strength of the authentication process.
Authentication devices should be assigned to individual users and should not be shared. Lost or stolen devices should be reported immediately and deactivated. Devices should be protected against unauthorized modification or cloning.
Authentication using at least one factor helps verify the identity of users before granting access to system components or cardholder data. Without authentication, there is no way to verify that the person requesting access is who they claim to be.
All access attempts should require authentication with at least one factor. The authentication mechanism used should be appropriate for the sensitivity of the systems and data being accessed.
Authentication factors include something you know (passwords, passphrases), something you have (tokens, smart cards), and something you are (biometrics).
Strong cryptography should be used to render all authentication factors unreadable during transmission and storage. If authentication factors are intercepted or accessed in cleartext, they could be used by an attacker to gain unauthorized access.
All authentication factors should be encrypted during transmission using strong cryptographic protocols. Stored authentication factors should be rendered unreadable using strong one-way hashing with a unique salt for each credential.
Using valid user IDs during authentication ensures that actions can be traced to identified individuals and that authentication is tied to a specific, known user. This is fundamental to maintaining accountability.
Authentication systems should verify both the user identity and the authentication factor. Failed authentication attempts should be logged with the user ID attempted, for security monitoring purposes.
Weak passwords can be easily guessed or cracked by attackers. Invalid authentication attempts that go unchecked allow attackers unlimited opportunities to guess credentials. Limiting invalid attempts and locking out accounts helps prevent brute-force attacks.
Accounts should be locked out after no more than 10 invalid authentication attempts. The lockout duration should be at least 30 minutes or until an administrator resets the account.
If passwords or passphrases are used as authentication factors, they must be sufficiently complex to resist guessing and brute-force attacks. Weak passwords are one of the most common causes of unauthorized access.
Passwords should be at least 12 characters long (or if the system does not support 12, at least 8 characters) and should contain both numeric and alphabetic characters. Passwords should not be easily guessable.
Requiring passwords to be changed periodically limits the time that a compromised password can be used by an attacker. Regular password changes reduce the risk of ongoing unauthorized access.
Passwords should be changed at least once every 90 days. Users should be prompted to change their passwords and should not be able to reuse recent passwords.
If new passwords can be the same as recently used passwords, the effectiveness of password changes is diminished. Password history enforcement ensures that users select genuinely new passwords.
Systems should enforce a password history of at least the last four passwords, preventing users from reusing any of these previous passwords.
Security awareness about authentication mechanisms helps users understand the importance of protecting their credentials and the risks associated with poor password practices.
Users should be educated about the importance of strong, unique passwords, the risks of sharing credentials, and how to recognize social engineering attempts targeting their credentials.
Using the same password for multiple accounts means that if one account is compromised, all accounts using that password are at risk. Unique passwords for each account limit the impact of a single credential compromise.
Users should be required to use unique passwords for each system or application. Password management tools can help users maintain unique, complex passwords for multiple accounts.
Multi-factor authentication (MFA) provides an additional layer of security beyond passwords. Even if a password is compromised, the attacker would still need the additional authentication factor(s) to gain access.
MFA should be implemented for all non-console administrative access. The authentication factors used should be from different categories (something you know, have, or are). Independence of the factors is important for security.
For non-console administrative access to the CDE, MFA provides critical protection against unauthorized access. Administrative accounts have elevated privileges that make them high-value targets for attackers.
MFA should be required for all non-console administrative access into the CDE. The MFA solution should use independent authentication factors and should be resistant to replay attacks.
Physical and logical security tokens, smart cards, and other authentication devices can be compromised if not properly managed. Ensuring the physical security and integrity of these devices helps maintain the strength of the authentication process.
Authentication devices should be assigned to individual users and should not be shared. Lost or stolen devices should be reported immediately and deactivated. Devices should be protected against unauthorized modification or cloning.
Authentication using at least one factor helps verify the identity of users before granting access to system components or cardholder data. Without authentication, there is no way to verify that the person requesting access is who they claim to be.
All access attempts should require authentication with at least one factor. The authentication mechanism used should be appropriate for the sensitivity of the systems and data being accessed.
Authentication factors include something you know (passwords, passphrases), something you have (tokens, smart cards), and something you are (biometrics).
Strong cryptography should be used to render all authentication factors unreadable during transmission and storage. If authentication factors are intercepted or accessed in cleartext, they could be used by an attacker to gain unauthorized access.
All authentication factors should be encrypted during transmission using strong cryptographic protocols. Stored authentication factors should be rendered unreadable using strong one-way hashing with a unique salt for each credential.
Using valid user IDs during authentication ensures that actions can be traced to identified individuals and that authentication is tied to a specific, known user. This is fundamental to maintaining accountability.
Authentication systems should verify both the user identity and the authentication factor. Failed authentication attempts should be logged with the user ID attempted, for security monitoring purposes.
Weak passwords can be easily guessed or cracked by attackers. Invalid authentication attempts that go unchecked allow attackers unlimited opportunities to guess credentials. Limiting invalid attempts and locking out accounts helps prevent brute-force attacks.
Accounts should be locked out after no more than 10 invalid authentication attempts. The lockout duration should be at least 30 minutes or until an administrator resets the account.
If passwords or passphrases are used as authentication factors, they must be sufficiently complex to resist guessing and brute-force attacks. Weak passwords are one of the most common causes of unauthorized access.
Passwords should be at least 12 characters long (or if the system does not support 12, at least 8 characters) and should contain both numeric and alphabetic characters. Passwords should not be easily guessable.
Requiring passwords to be changed periodically limits the time that a compromised password can be used by an attacker. Regular password changes reduce the risk of ongoing unauthorized access.
Passwords should be changed at least once every 90 days. Users should be prompted to change their passwords and should not be able to reuse recent passwords.
If new passwords can be the same as recently used passwords, the effectiveness of password changes is diminished. Password history enforcement ensures that users select genuinely new passwords.
Systems should enforce a password history of at least the last four passwords, preventing users from reusing any of these previous passwords.
Security awareness about authentication mechanisms helps users understand the importance of protecting their credentials and the risks associated with poor password practices.
Users should be educated about the importance of strong, unique passwords, the risks of sharing credentials, and how to recognize social engineering attempts targeting their credentials.
Using the same password for multiple accounts means that if one account is compromised, all accounts using that password are at risk. Unique passwords for each account limit the impact of a single credential compromise.
Users should be required to use unique passwords for each system or application. Password management tools can help users maintain unique, complex passwords for multiple accounts.
Multi-factor authentication (MFA) provides an additional layer of security beyond passwords. Even if a password is compromised, the attacker would still need the additional authentication factor(s) to gain access.
MFA should be implemented for all non-console administrative access. The authentication factors used should be from different categories (something you know, have, or are). Independence of the factors is important for security.
For non-console administrative access to the CDE, MFA provides critical protection against unauthorized access. Administrative accounts have elevated privileges that make them high-value targets for attackers.
MFA should be required for all non-console administrative access into the CDE. The MFA solution should use independent authentication factors and should be resistant to replay attacks.
Physical and logical security tokens, smart cards, and other authentication devices can be compromised if not properly managed. Ensuring the physical security and integrity of these devices helps maintain the strength of the authentication process.
Authentication devices should be assigned to individual users and should not be shared. Lost or stolen devices should be reported immediately and deactivated. Devices should be protected against unauthorized modification or cloning.
Authentication using at least one factor helps verify the identity of users before granting access to system components or cardholder data. Without authentication, there is no way to verify that the person requesting access is who they claim to be.
All access attempts should require authentication with at least one factor. The authentication mechanism used should be appropriate for the sensitivity of the systems and data being accessed.
Authentication factors include something you know (passwords, passphrases), something you have (tokens, smart cards), and something you are (biometrics).
Strong cryptography should be used to render all authentication factors unreadable during transmission and storage. If authentication factors are intercepted or accessed in cleartext, they could be used by an attacker to gain unauthorized access.
All authentication factors should be encrypted during transmission using strong cryptographic protocols. Stored authentication factors should be rendered unreadable using strong one-way hashing with a unique salt for each credential.
Using valid user IDs during authentication ensures that actions can be traced to identified individuals and that authentication is tied to a specific, known user. This is fundamental to maintaining accountability.
Authentication systems should verify both the user identity and the authentication factor. Failed authentication attempts should be logged with the user ID attempted, for security monitoring purposes.
Weak passwords can be easily guessed or cracked by attackers. Invalid authentication attempts that go unchecked allow attackers unlimited opportunities to guess credentials. Limiting invalid attempts and locking out accounts helps prevent brute-force attacks.
Accounts should be locked out after no more than 10 invalid authentication attempts. The lockout duration should be at least 30 minutes or until an administrator resets the account.
If passwords or passphrases are used as authentication factors, they must be sufficiently complex to resist guessing and brute-force attacks. Weak passwords are one of the most common causes of unauthorized access.
Passwords should be at least 12 characters long (or if the system does not support 12, at least 8 characters) and should contain both numeric and alphabetic characters. Passwords should not be easily guessable.
Requiring passwords to be changed periodically limits the time that a compromised password can be used by an attacker. Regular password changes reduce the risk of ongoing unauthorized access.
Passwords should be changed at least once every 90 days. Users should be prompted to change their passwords and should not be able to reuse recent passwords.
If new passwords can be the same as recently used passwords, the effectiveness of password changes is diminished. Password history enforcement ensures that users select genuinely new passwords.
Systems should enforce a password history of at least the last four passwords, preventing users from reusing any of these previous passwords.
Security awareness about authentication mechanisms helps users understand the importance of protecting their credentials and the risks associated with poor password practices.
Users should be educated about the importance of strong, unique passwords, the risks of sharing credentials, and how to recognize social engineering attempts targeting their credentials.
Using the same password for multiple accounts means that if one account is compromised, all accounts using that password are at risk. Unique passwords for each account limit the impact of a single credential compromise.
Users should be required to use unique passwords for each system or application. Password management tools can help users maintain unique, complex passwords for multiple accounts.
Multi-factor authentication (MFA) provides an additional layer of security beyond passwords. Even if a password is compromised, the attacker would still need the additional authentication factor(s) to gain access.
MFA should be implemented for all non-console administrative access. The authentication factors used should be from different categories (something you know, have, or are). Independence of the factors is important for security.
For non-console administrative access to the CDE, MFA provides critical protection against unauthorized access. Administrative accounts have elevated privileges that make them high-value targets for attackers.
MFA should be required for all non-console administrative access into the CDE. The MFA solution should use independent authentication factors and should be resistant to replay attacks.
Physical and logical security tokens, smart cards, and other authentication devices can be compromised if not properly managed. Ensuring the physical security and integrity of these devices helps maintain the strength of the authentication process.
Authentication devices should be assigned to individual users and should not be shared. Lost or stolen devices should be reported immediately and deactivated. Devices should be protected against unauthorized modification or cloning.
Authentication using at least one factor helps verify the identity of users before granting access to system components or cardholder data. Without authentication, there is no way to verify that the person requesting access is who they claim to be.
All access attempts should require authentication with at least one factor. The authentication mechanism used should be appropriate for the sensitivity of the systems and data being accessed.
Authentication factors include something you know (passwords, passphrases), something you have (tokens, smart cards), and something you are (biometrics).
Strong cryptography should be used to render all authentication factors unreadable during transmission and storage. If authentication factors are intercepted or accessed in cleartext, they could be used by an attacker to gain unauthorized access.
All authentication factors should be encrypted during transmission using strong cryptographic protocols. Stored authentication factors should be rendered unreadable using strong one-way hashing with a unique salt for each credential.
Using valid user IDs during authentication ensures that actions can be traced to identified individuals and that authentication is tied to a specific, known user. This is fundamental to maintaining accountability.
Authentication systems should verify both the user identity and the authentication factor. Failed authentication attempts should be logged with the user ID attempted, for security monitoring purposes.
Weak passwords can be easily guessed or cracked by attackers. Invalid authentication attempts that go unchecked allow attackers unlimited opportunities to guess credentials. Limiting invalid attempts and locking out accounts helps prevent brute-force attacks.
Accounts should be locked out after no more than 10 invalid authentication attempts. The lockout duration should be at least 30 minutes or until an administrator resets the account.
If passwords or passphrases are used as authentication factors, they must be sufficiently complex to resist guessing and brute-force attacks. Weak passwords are one of the most common causes of unauthorized access.
Passwords should be at least 12 characters long (or if the system does not support 12, at least 8 characters) and should contain both numeric and alphabetic characters. Passwords should not be easily guessable.
Requiring passwords to be changed periodically limits the time that a compromised password can be used by an attacker. Regular password changes reduce the risk of ongoing unauthorized access.
Passwords should be changed at least once every 90 days. Users should be prompted to change their passwords and should not be able to reuse recent passwords.
If new passwords can be the same as recently used passwords, the effectiveness of password changes is diminished. Password history enforcement ensures that users select genuinely new passwords.
Systems should enforce a password history of at least the last four passwords, preventing users from reusing any of these previous passwords.
Security awareness about authentication mechanisms helps users understand the importance of protecting their credentials and the risks associated with poor password practices.
Users should be educated about the importance of strong, unique passwords, the risks of sharing credentials, and how to recognize social engineering attempts targeting their credentials.
Using the same password for multiple accounts means that if one account is compromised, all accounts using that password are at risk. Unique passwords for each account limit the impact of a single credential compromise.
Users should be required to use unique passwords for each system or application. Password management tools can help users maintain unique, complex passwords for multiple accounts.
Multi-factor authentication (MFA) provides an additional layer of security beyond passwords. Even if a password is compromised, the attacker would still need the additional authentication factor(s) to gain access.
MFA should be implemented for all non-console administrative access. The authentication factors used should be from different categories (something you know, have, or are). Independence of the factors is important for security.
For non-console administrative access to the CDE, MFA provides critical protection against unauthorized access. Administrative accounts have elevated privileges that make them high-value targets for attackers.
MFA should be required for all non-console administrative access into the CDE. The MFA solution should use independent authentication factors and should be resistant to replay attacks.
Physical and logical security tokens, smart cards, and other authentication devices can be compromised if not properly managed. Ensuring the physical security and integrity of these devices helps maintain the strength of the authentication process.
Authentication devices should be assigned to individual users and should not be shared. Lost or stolen devices should be reported immediately and deactivated. Devices should be protected against unauthorized modification or cloning.
Authentication using at least one factor helps verify the identity of users before granting access to system components or cardholder data. Without authentication, there is no way to verify that the person requesting access is who they claim to be.
All access attempts should require authentication with at least one factor. The authentication mechanism used should be appropriate for the sensitivity of the systems and data being accessed.
Authentication factors include something you know (passwords, passphrases), something you have (tokens, smart cards), and something you are (biometrics).
Strong cryptography should be used to render all authentication factors unreadable during transmission and storage. If authentication factors are intercepted or accessed in cleartext, they could be used by an attacker to gain unauthorized access.
All authentication factors should be encrypted during transmission using strong cryptographic protocols. Stored authentication factors should be rendered unreadable using strong one-way hashing with a unique salt for each credential.
Using valid user IDs during authentication ensures that actions can be traced to identified individuals and that authentication is tied to a specific, known user. This is fundamental to maintaining accountability.
Authentication systems should verify both the user identity and the authentication factor. Failed authentication attempts should be logged with the user ID attempted, for security monitoring purposes.
Weak passwords can be easily guessed or cracked by attackers. Invalid authentication attempts that go unchecked allow attackers unlimited opportunities to guess credentials. Limiting invalid attempts and locking out accounts helps prevent brute-force attacks.
Accounts should be locked out after no more than 10 invalid authentication attempts. The lockout duration should be at least 30 minutes or until an administrator resets the account.
If passwords or passphrases are used as authentication factors, they must be sufficiently complex to resist guessing and brute-force attacks. Weak passwords are one of the most common causes of unauthorized access.
Passwords should be at least 12 characters long (or if the system does not support 12, at least 8 characters) and should contain both numeric and alphabetic characters. Passwords should not be easily guessable.
Requiring passwords to be changed periodically limits the time that a compromised password can be used by an attacker. Regular password changes reduce the risk of ongoing unauthorized access.
Passwords should be changed at least once every 90 days. Users should be prompted to change their passwords and should not be able to reuse recent passwords.
If new passwords can be the same as recently used passwords, the effectiveness of password changes is diminished. Password history enforcement ensures that users select genuinely new passwords.
Systems should enforce a password history of at least the last four passwords, preventing users from reusing any of these previous passwords.
Security awareness about authentication mechanisms helps users understand the importance of protecting their credentials and the risks associated with poor password practices.
Users should be educated about the importance of strong, unique passwords, the risks of sharing credentials, and how to recognize social engineering attempts targeting their credentials.
Using the same password for multiple accounts means that if one account is compromised, all accounts using that password are at risk. Unique passwords for each account limit the impact of a single credential compromise.
Users should be required to use unique passwords for each system or application. Password management tools can help users maintain unique, complex passwords for multiple accounts.
Multi-factor authentication (MFA) provides an additional layer of security beyond passwords. Even if a password is compromised, the attacker would still need the additional authentication factor(s) to gain access.
MFA should be implemented for all non-console administrative access. The authentication factors used should be from different categories (something you know, have, or are). Independence of the factors is important for security.
For non-console administrative access to the CDE, MFA provides critical protection against unauthorized access. Administrative accounts have elevated privileges that make them high-value targets for attackers.
MFA should be required for all non-console administrative access into the CDE. The MFA solution should use independent authentication factors and should be resistant to replay attacks.
Physical and logical security tokens, smart cards, and other authentication devices can be compromised if not properly managed. Ensuring the physical security and integrity of these devices helps maintain the strength of the authentication process.
Authentication devices should be assigned to individual users and should not be shared. Lost or stolen devices should be reported immediately and deactivated. Devices should be protected against unauthorized modification or cloning.
Authentication using at least one factor helps verify the identity of users before granting access to system components or cardholder data. Without authentication, there is no way to verify that the person requesting access is who they claim to be.
All access attempts should require authentication with at least one factor. The authentication mechanism used should be appropriate for the sensitivity of the systems and data being accessed.
Authentication factors include something you know (passwords, passphrases), something you have (tokens, smart cards), and something you are (biometrics).
Strong cryptography should be used to render all authentication factors unreadable during transmission and storage. If authentication factors are intercepted or accessed in cleartext, they could be used by an attacker to gain unauthorized access.
All authentication factors should be encrypted during transmission using strong cryptographic protocols. Stored authentication factors should be rendered unreadable using strong one-way hashing with a unique salt for each credential.
Using valid user IDs during authentication ensures that actions can be traced to identified individuals and that authentication is tied to a specific, known user. This is fundamental to maintaining accountability.
Authentication systems should verify both the user identity and the authentication factor. Failed authentication attempts should be logged with the user ID attempted, for security monitoring purposes.
Weak passwords can be easily guessed or cracked by attackers. Invalid authentication attempts that go unchecked allow attackers unlimited opportunities to guess credentials. Limiting invalid attempts and locking out accounts helps prevent brute-force attacks.
Accounts should be locked out after no more than 10 invalid authentication attempts. The lockout duration should be at least 30 minutes or until an administrator resets the account.
If passwords or passphrases are used as authentication factors, they must be sufficiently complex to resist guessing and brute-force attacks. Weak passwords are one of the most common causes of unauthorized access.
Passwords should be at least 12 characters long (or if the system does not support 12, at least 8 characters) and should contain both numeric and alphabetic characters. Passwords should not be easily guessable.
Requiring passwords to be changed periodically limits the time that a compromised password can be used by an attacker. Regular password changes reduce the risk of ongoing unauthorized access.
Passwords should be changed at least once every 90 days. Users should be prompted to change their passwords and should not be able to reuse recent passwords.
If new passwords can be the same as recently used passwords, the effectiveness of password changes is diminished. Password history enforcement ensures that users select genuinely new passwords.
Systems should enforce a password history of at least the last four passwords, preventing users from reusing any of these previous passwords.
Security awareness about authentication mechanisms helps users understand the importance of protecting their credentials and the risks associated with poor password practices.
Users should be educated about the importance of strong, unique passwords, the risks of sharing credentials, and how to recognize social engineering attempts targeting their credentials.
Using the same password for multiple accounts means that if one account is compromised, all accounts using that password are at risk. Unique passwords for each account limit the impact of a single credential compromise.
Users should be required to use unique passwords for each system or application. Password management tools can help users maintain unique, complex passwords for multiple accounts.
Multi-factor authentication (MFA) provides an additional layer of security beyond passwords. Even if a password is compromised, the attacker would still need the additional authentication factor(s) to gain access.
MFA should be implemented for all non-console administrative access. The authentication factors used should be from different categories (something you know, have, or are). Independence of the factors is important for security.
For non-console administrative access to the CDE, MFA provides critical protection against unauthorized access. Administrative accounts have elevated privileges that make them high-value targets for attackers.
MFA should be required for all non-console administrative access into the CDE. The MFA solution should use independent authentication factors and should be resistant to replay attacks.
Physical and logical security tokens, smart cards, and other authentication devices can be compromised if not properly managed. Ensuring the physical security and integrity of these devices helps maintain the strength of the authentication process.
Authentication devices should be assigned to individual users and should not be shared. Lost or stolen devices should be reported immediately and deactivated. Devices should be protected against unauthorized modification or cloning.
Authentication using at least one factor helps verify the identity of users before granting access to system components or cardholder data. Without authentication, there is no way to verify that the person requesting access is who they claim to be.
All access attempts should require authentication with at least one factor. The authentication mechanism used should be appropriate for the sensitivity of the systems and data being accessed.
Authentication factors include something you know (passwords, passphrases), something you have (tokens, smart cards), and something you are (biometrics).
Strong cryptography should be used to render all authentication factors unreadable during transmission and storage. If authentication factors are intercepted or accessed in cleartext, they could be used by an attacker to gain unauthorized access.
All authentication factors should be encrypted during transmission using strong cryptographic protocols. Stored authentication factors should be rendered unreadable using strong one-way hashing with a unique salt for each credential.
Using valid user IDs during authentication ensures that actions can be traced to identified individuals and that authentication is tied to a specific, known user. This is fundamental to maintaining accountability.
Authentication systems should verify both the user identity and the authentication factor. Failed authentication attempts should be logged with the user ID attempted, for security monitoring purposes.
Weak passwords can be easily guessed or cracked by attackers. Invalid authentication attempts that go unchecked allow attackers unlimited opportunities to guess credentials. Limiting invalid attempts and locking out accounts helps prevent brute-force attacks.
Accounts should be locked out after no more than 10 invalid authentication attempts. The lockout duration should be at least 30 minutes or until an administrator resets the account.
If passwords or passphrases are used as authentication factors, they must be sufficiently complex to resist guessing and brute-force attacks. Weak passwords are one of the most common causes of unauthorized access.
Passwords should be at least 12 characters long (or if the system does not support 12, at least 8 characters) and should contain both numeric and alphabetic characters. Passwords should not be easily guessable.
Requiring passwords to be changed periodically limits the time that a compromised password can be used by an attacker. Regular password changes reduce the risk of ongoing unauthorized access.
Passwords should be changed at least once every 90 days. Users should be prompted to change their passwords and should not be able to reuse recent passwords.
If new passwords can be the same as recently used passwords, the effectiveness of password changes is diminished. Password history enforcement ensures that users select genuinely new passwords.
Systems should enforce a password history of at least the last four passwords, preventing users from reusing any of these previous passwords.
Security awareness about authentication mechanisms helps users understand the importance of protecting their credentials and the risks associated with poor password practices.
Users should be educated about the importance of strong, unique passwords, the risks of sharing credentials, and how to recognize social engineering attempts targeting their credentials.
Using the same password for multiple accounts means that if one account is compromised, all accounts using that password are at risk. Unique passwords for each account limit the impact of a single credential compromise.
Users should be required to use unique passwords for each system or application. Password management tools can help users maintain unique, complex passwords for multiple accounts.
Multi-factor authentication (MFA) provides an additional layer of security beyond passwords. Even if a password is compromised, the attacker would still need the additional authentication factor(s) to gain access.
MFA should be implemented for all non-console administrative access. The authentication factors used should be from different categories (something you know, have, or are). Independence of the factors is important for security.
For non-console administrative access to the CDE, MFA provides critical protection against unauthorized access. Administrative accounts have elevated privileges that make them high-value targets for attackers.
MFA should be required for all non-console administrative access into the CDE. The MFA solution should use independent authentication factors and should be resistant to replay attacks.
Physical and logical security tokens, smart cards, and other authentication devices can be compromised if not properly managed. Ensuring the physical security and integrity of these devices helps maintain the strength of the authentication process.
Authentication devices should be assigned to individual users and should not be shared. Lost or stolen devices should be reported immediately and deactivated. Devices should be protected against unauthorized modification or cloning.
Authentication using at least one factor helps verify the identity of users before granting access to system components or cardholder data. Without authentication, there is no way to verify that the person requesting access is who they claim to be.
All access attempts should require authentication with at least one factor. The authentication mechanism used should be appropriate for the sensitivity of the systems and data being accessed.
Authentication factors include something you know (passwords, passphrases), something you have (tokens, smart cards), and something you are (biometrics).
Strong cryptography should be used to render all authentication factors unreadable during transmission and storage. If authentication factors are intercepted or accessed in cleartext, they could be used by an attacker to gain unauthorized access.
All authentication factors should be encrypted during transmission using strong cryptographic protocols. Stored authentication factors should be rendered unreadable using strong one-way hashing with a unique salt for each credential.
Using valid user IDs during authentication ensures that actions can be traced to identified individuals and that authentication is tied to a specific, known user. This is fundamental to maintaining accountability.
Authentication systems should verify both the user identity and the authentication factor. Failed authentication attempts should be logged with the user ID attempted, for security monitoring purposes.
Weak passwords can be easily guessed or cracked by attackers. Invalid authentication attempts that go unchecked allow attackers unlimited opportunities to guess credentials. Limiting invalid attempts and locking out accounts helps prevent brute-force attacks.
Accounts should be locked out after no more than 10 invalid authentication attempts. The lockout duration should be at least 30 minutes or until an administrator resets the account.
If passwords or passphrases are used as authentication factors, they must be sufficiently complex to resist guessing and brute-force attacks. Weak passwords are one of the most common causes of unauthorized access.
Passwords should be at least 12 characters long (or if the system does not support 12, at least 8 characters) and should contain both numeric and alphabetic characters. Passwords should not be easily guessable.
Requiring passwords to be changed periodically limits the time that a compromised password can be used by an attacker. Regular password changes reduce the risk of ongoing unauthorized access.
Passwords should be changed at least once every 90 days. Users should be prompted to change their passwords and should not be able to reuse recent passwords.
If new passwords can be the same as recently used passwords, the effectiveness of password changes is diminished. Password history enforcement ensures that users select genuinely new passwords.
Systems should enforce a password history of at least the last four passwords, preventing users from reusing any of these previous passwords.
Security awareness about authentication mechanisms helps users understand the importance of protecting their credentials and the risks associated with poor password practices.
Users should be educated about the importance of strong, unique passwords, the risks of sharing credentials, and how to recognize social engineering attempts targeting their credentials.
Using the same password for multiple accounts means that if one account is compromised, all accounts using that password are at risk. Unique passwords for each account limit the impact of a single credential compromise.
Users should be required to use unique passwords for each system or application. Password management tools can help users maintain unique, complex passwords for multiple accounts.
Multi-factor authentication (MFA) provides an additional layer of security beyond passwords. Even if a password is compromised, the attacker would still need the additional authentication factor(s) to gain access.
MFA should be implemented for all non-console administrative access. The authentication factors used should be from different categories (something you know, have, or are). Independence of the factors is important for security.
For non-console administrative access to the CDE, MFA provides critical protection against unauthorized access. Administrative accounts have elevated privileges that make them high-value targets for attackers.
MFA should be required for all non-console administrative access into the CDE. The MFA solution should use independent authentication factors and should be resistant to replay attacks.
Physical and logical security tokens, smart cards, and other authentication devices can be compromised if not properly managed. Ensuring the physical security and integrity of these devices helps maintain the strength of the authentication process.
Authentication devices should be assigned to individual users and should not be shared. Lost or stolen devices should be reported immediately and deactivated. Devices should be protected against unauthorized modification or cloning.
Authentication using at least one factor helps verify the identity of users before granting access to system components or cardholder data. Without authentication, there is no way to verify that the person requesting access is who they claim to be.
All access attempts should require authentication with at least one factor. The authentication mechanism used should be appropriate for the sensitivity of the systems and data being accessed.
Authentication factors include something you know (passwords, passphrases), something you have (tokens, smart cards), and something you are (biometrics).
Strong cryptography should be used to render all authentication factors unreadable during transmission and storage. If authentication factors are intercepted or accessed in cleartext, they could be used by an attacker to gain unauthorized access.
All authentication factors should be encrypted during transmission using strong cryptographic protocols. Stored authentication factors should be rendered unreadable using strong one-way hashing with a unique salt for each credential.
Using valid user IDs during authentication ensures that actions can be traced to identified individuals and that authentication is tied to a specific, known user. This is fundamental to maintaining accountability.
Authentication systems should verify both the user identity and the authentication factor. Failed authentication attempts should be logged with the user ID attempted, for security monitoring purposes.
Weak passwords can be easily guessed or cracked by attackers. Invalid authentication attempts that go unchecked allow attackers unlimited opportunities to guess credentials. Limiting invalid attempts and locking out accounts helps prevent brute-force attacks.
Accounts should be locked out after no more than 10 invalid authentication attempts. The lockout duration should be at least 30 minutes or until an administrator resets the account.
If passwords or passphrases are used as authentication factors, they must be sufficiently complex to resist guessing and brute-force attacks. Weak passwords are one of the most common causes of unauthorized access.
Passwords should be at least 12 characters long (or if the system does not support 12, at least 8 characters) and should contain both numeric and alphabetic characters. Passwords should not be easily guessable.
Requiring passwords to be changed periodically limits the time that a compromised password can be used by an attacker. Regular password changes reduce the risk of ongoing unauthorized access.
Passwords should be changed at least once every 90 days. Users should be prompted to change their passwords and should not be able to reuse recent passwords.
If new passwords can be the same as recently used passwords, the effectiveness of password changes is diminished. Password history enforcement ensures that users select genuinely new passwords.
Systems should enforce a password history of at least the last four passwords, preventing users from reusing any of these previous passwords.
Security awareness about authentication mechanisms helps users understand the importance of protecting their credentials and the risks associated with poor password practices.
Users should be educated about the importance of strong, unique passwords, the risks of sharing credentials, and how to recognize social engineering attempts targeting their credentials.
Using the same password for multiple accounts means that if one account is compromised, all accounts using that password are at risk. Unique passwords for each account limit the impact of a single credential compromise.
Users should be required to use unique passwords for each system or application. Password management tools can help users maintain unique, complex passwords for multiple accounts.
Multi-factor authentication (MFA) provides an additional layer of security beyond passwords. Even if a password is compromised, the attacker would still need the additional authentication factor(s) to gain access.
MFA should be implemented for all non-console administrative access. The authentication factors used should be from different categories (something you know, have, or are). Independence of the factors is important for security.
For non-console administrative access to the CDE, MFA provides critical protection against unauthorized access. Administrative accounts have elevated privileges that make them high-value targets for attackers.
MFA should be required for all non-console administrative access into the CDE. The MFA solution should use independent authentication factors and should be resistant to replay attacks.
Physical and logical security tokens, smart cards, and other authentication devices can be compromised if not properly managed. Ensuring the physical security and integrity of these devices helps maintain the strength of the authentication process.
Authentication devices should be assigned to individual users and should not be shared. Lost or stolen devices should be reported immediately and deactivated. Devices should be protected against unauthorized modification or cloning.
Authentication using at least one factor helps verify the identity of users before granting access to system components or cardholder data. Without authentication, there is no way to verify that the person requesting access is who they claim to be.
All access attempts should require authentication with at least one factor. The authentication mechanism used should be appropriate for the sensitivity of the systems and data being accessed.
Authentication factors include something you know (passwords, passphrases), something you have (tokens, smart cards), and something you are (biometrics).
Strong cryptography should be used to render all authentication factors unreadable during transmission and storage. If authentication factors are intercepted or accessed in cleartext, they could be used by an attacker to gain unauthorized access.
All authentication factors should be encrypted during transmission using strong cryptographic protocols. Stored authentication factors should be rendered unreadable using strong one-way hashing with a unique salt for each credential.
Using valid user IDs during authentication ensures that actions can be traced to identified individuals and that authentication is tied to a specific, known user. This is fundamental to maintaining accountability.
Authentication systems should verify both the user identity and the authentication factor. Failed authentication attempts should be logged with the user ID attempted, for security monitoring purposes.
Weak passwords can be easily guessed or cracked by attackers. Invalid authentication attempts that go unchecked allow attackers unlimited opportunities to guess credentials. Limiting invalid attempts and locking out accounts helps prevent brute-force attacks.
Accounts should be locked out after no more than 10 invalid authentication attempts. The lockout duration should be at least 30 minutes or until an administrator resets the account.
If passwords or passphrases are used as authentication factors, they must be sufficiently complex to resist guessing and brute-force attacks. Weak passwords are one of the most common causes of unauthorized access.
Passwords should be at least 12 characters long (or if the system does not support 12, at least 8 characters) and should contain both numeric and alphabetic characters. Passwords should not be easily guessable.
Requiring passwords to be changed periodically limits the time that a compromised password can be used by an attacker. Regular password changes reduce the risk of ongoing unauthorized access.
Passwords should be changed at least once every 90 days. Users should be prompted to change their passwords and should not be able to reuse recent passwords.
If new passwords can be the same as recently used passwords, the effectiveness of password changes is diminished. Password history enforcement ensures that users select genuinely new passwords.
Systems should enforce a password history of at least the last four passwords, preventing users from reusing any of these previous passwords.
Security awareness about authentication mechanisms helps users understand the importance of protecting their credentials and the risks associated with poor password practices.
Users should be educated about the importance of strong, unique passwords, the risks of sharing credentials, and how to recognize social engineering attempts targeting their credentials.
Using the same password for multiple accounts means that if one account is compromised, all accounts using that password are at risk. Unique passwords for each account limit the impact of a single credential compromise.
Users should be required to use unique passwords for each system or application. Password management tools can help users maintain unique, complex passwords for multiple accounts.
Multi-factor authentication (MFA) provides an additional layer of security beyond passwords. Even if a password is compromised, the attacker would still need the additional authentication factor(s) to gain access.
MFA should be implemented for all non-console administrative access. The authentication factors used should be from different categories (something you know, have, or are). Independence of the factors is important for security.
For non-console administrative access to the CDE, MFA provides critical protection against unauthorized access. Administrative accounts have elevated privileges that make them high-value targets for attackers.
MFA should be required for all non-console administrative access into the CDE. The MFA solution should use independent authentication factors and should be resistant to replay attacks.
Physical and logical security tokens, smart cards, and other authentication devices can be compromised if not properly managed. Ensuring the physical security and integrity of these devices helps maintain the strength of the authentication process.
Authentication devices should be assigned to individual users and should not be shared. Lost or stolen devices should be reported immediately and deactivated. Devices should be protected against unauthorized modification or cloning.
MFA for non-console administrative access into the CDE adds an essential layer of protection for the most sensitive systems and data. Administrative access to the CDE provides the highest level of access and therefore requires the strongest authentication controls.
MFA should be required for all non-console administrative access into the CDE. This includes access via VPN, remote desktop, and web-based management interfaces. The MFA solution should use at least two different authentication factors.
MFA for all access into the CDE helps prevent unauthorized access to cardholder data, even if a single authentication factor is compromised. This requirement extends MFA beyond just administrative access to all users accessing the CDE.
MFA should be implemented for all personnel accessing the CDE, regardless of their role. The MFA solution should be designed to be user-friendly while maintaining security.
Remote access to the entity's network from outside the network presents additional risk because the remote connection traverses networks outside the entity's control. MFA for remote access helps mitigate the risk of unauthorized access through compromised remote credentials.
MFA should be required for all remote network access, whether for administrators or regular users. The MFA implementation should be applied before access is granted to the entity's network.
MFA for non-console administrative access into the CDE adds an essential layer of protection for the most sensitive systems and data. Administrative access to the CDE provides the highest level of access and therefore requires the strongest authentication controls.
MFA should be required for all non-console administrative access into the CDE. This includes access via VPN, remote desktop, and web-based management interfaces. The MFA solution should use at least two different authentication factors.
MFA for all access into the CDE helps prevent unauthorized access to cardholder data, even if a single authentication factor is compromised. This requirement extends MFA beyond just administrative access to all users accessing the CDE.
MFA should be implemented for all personnel accessing the CDE, regardless of their role. The MFA solution should be designed to be user-friendly while maintaining security.
Remote access to the entity's network from outside the network presents additional risk because the remote connection traverses networks outside the entity's control. MFA for remote access helps mitigate the risk of unauthorized access through compromised remote credentials.
MFA should be required for all remote network access, whether for administrators or regular users. The MFA implementation should be applied before access is granted to the entity's network.
MFA for non-console administrative access into the CDE adds an essential layer of protection for the most sensitive systems and data. Administrative access to the CDE provides the highest level of access and therefore requires the strongest authentication controls.
MFA should be required for all non-console administrative access into the CDE. This includes access via VPN, remote desktop, and web-based management interfaces. The MFA solution should use at least two different authentication factors.
MFA for all access into the CDE helps prevent unauthorized access to cardholder data, even if a single authentication factor is compromised. This requirement extends MFA beyond just administrative access to all users accessing the CDE.
MFA should be implemented for all personnel accessing the CDE, regardless of their role. The MFA solution should be designed to be user-friendly while maintaining security.
Remote access to the entity's network from outside the network presents additional risk because the remote connection traverses networks outside the entity's control. MFA for remote access helps mitigate the risk of unauthorized access through compromised remote credentials.
MFA should be required for all remote network access, whether for administrators or regular users. The MFA implementation should be applied before access is granted to the entity's network.
Improperly configured MFA systems may not provide the intended security benefits. Ensuring that MFA is properly implemented helps prevent bypass of the multi-factor requirement and maintains the integrity of the authentication process.
MFA systems should be configured so that the authentication factors are truly independent. The system should not allow one factor to grant access to another factor. Replay attacks should be prevented, and the MFA system should not be susceptible to bypass. Each authentication attempt should require a fresh MFA challenge.
Multi-factor authentication requires the use of at least two of the three authentication factors: something you know, something you have, and something you are. Using two instances of the same factor (e.g., two passwords) is not considered multi-factor authentication.
System and application accounts that can be used for interactive login provide a potential avenue for unauthorized access. If these accounts are used interactively, it may be difficult to trace actions to specific individuals. Managing interactive use of these accounts helps maintain accountability.
System and application accounts should be managed so that interactive login is only possible when necessary for an exceptional circumstance. When interactive login is needed, it should be specifically approved, time-limited, and logged. Account usage should be attributable to individual users.
Passwords and other credentials for system and application accounts are particularly sensitive because compromise of these accounts can provide broad access to data and system resources. Proper management of these credentials helps prevent unauthorized access.
Credentials for system and application accounts should be changed periodically and should not be hard-coded in scripts or source code. Credentials should be stored securely and access should be limited to authorized personnel.
Hard-coded passwords in scripts, configuration files, or source code can be discovered by anyone with access to the code and are difficult to change. Protecting passwords for system and application accounts helps prevent unauthorized access.
Passwords should not be stored in cleartext in scripts, configuration files, or source code. Secure credential management solutions, such as vaults or key management systems, should be used to store and manage credentials for system and application accounts.
System and application accounts that can be used for interactive login provide a potential avenue for unauthorized access. If these accounts are used interactively, it may be difficult to trace actions to specific individuals. Managing interactive use of these accounts helps maintain accountability.
System and application accounts should be managed so that interactive login is only possible when necessary for an exceptional circumstance. When interactive login is needed, it should be specifically approved, time-limited, and logged. Account usage should be attributable to individual users.
Passwords and other credentials for system and application accounts are particularly sensitive because compromise of these accounts can provide broad access to data and system resources. Proper management of these credentials helps prevent unauthorized access.
Credentials for system and application accounts should be changed periodically and should not be hard-coded in scripts or source code. Credentials should be stored securely and access should be limited to authorized personnel.
Hard-coded passwords in scripts, configuration files, or source code can be discovered by anyone with access to the code and are difficult to change. Protecting passwords for system and application accounts helps prevent unauthorized access.
Passwords should not be stored in cleartext in scripts, configuration files, or source code. Secure credential management solutions, such as vaults or key management systems, should be used to store and manage credentials for system and application accounts.
System and application accounts that can be used for interactive login provide a potential avenue for unauthorized access. If these accounts are used interactively, it may be difficult to trace actions to specific individuals. Managing interactive use of these accounts helps maintain accountability.
System and application accounts should be managed so that interactive login is only possible when necessary for an exceptional circumstance. When interactive login is needed, it should be specifically approved, time-limited, and logged. Account usage should be attributable to individual users.
Passwords and other credentials for system and application accounts are particularly sensitive because compromise of these accounts can provide broad access to data and system resources. Proper management of these credentials helps prevent unauthorized access.
Credentials for system and application accounts should be changed periodically and should not be hard-coded in scripts or source code. Credentials should be stored securely and access should be limited to authorized personnel.
Hard-coded passwords in scripts, configuration files, or source code can be discovered by anyone with access to the code and are difficult to change. Protecting passwords for system and application accounts helps prevent unauthorized access.
Passwords should not be stored in cleartext in scripts, configuration files, or source code. Secure credential management solutions, such as vaults or key management systems, should be used to store and manage credentials for system and application accounts.