According to the PCI Security Standards Council, the forthcoming revision of PCI DSS – which is due to go live on November 7th 2013 – has been designed to ‘help organisations take a proactive approach to protect cardholder data that focuses on security, not compliance’.
As part of this, poor password security practices have been highlighted as a key driver for change. The PCI DSS update clarifies the importance of changing default passwords for application/service accounts, as well as user accounts, to address gaps in basic password security practices that are leading to compromises.
Matt Middleton-Leal, regional director for UK & Ireland at CyberArk, has made the following comments:
“It’s extremely encouraging that the latest revision of PCI DSS is moving away from focusing solely on compliance, and moving towards best practice security. As we continue to see privileged account credentials and passwords as primary targets in almost all major breaches, it’s great that this latest version of the standard is taking steps towards addressing this crucial part of the problem.
“The proposed changes state that revised password policies should include guidance on ‘choosing strong passwords, protecting their credentials, changing passwords on suspicion of compromise’. While this is certainly a step in the right direction, I would argue that we need to go further in order to adequately protect these extremely powerful credentials. Rather than waiting for suspicious activity before taking action, organisations should arm themselves with the best possible defence by establishing a centrally managed privileged account security policy. This will allow organisations to determine how regularly passwords need to be changed and can allow users to easily set, manage and monitor password security from one single interface.
“By simplifying the password management process and giving control back to the security, risk and audit teams, companies can be sure that they are not only compliant with PCI DSS v3.0, but also that they are doing everything they can to proactively protect their customers’ payment card data.”