Appendix a: pci password requirements, A unique, Refer to – Gasboy CFN III Fuel Management System PA-DSS User Manual

MDE-4870A CFN III Fuel Management System PA-DSS Implementation Guide Version 3.6 · June 2010

Page A-1

Appendix A: PCI Password Requirements

Appendix A: PCI Password Requirements

The following password controls must be followed to meet minimum PCI PA-DSS
requirement 8:

• Assign all users a unique User Name before allowing them access to the system.
• For authentication purposes use either a Password/Passphrase or two-factor authentication

(such as token or smart card).

• Control addition, deletion, and modification of User Names and passwords.
• Verify user identity before performing password resets.
• Set first-time passwords to a unique value and require them to be changed after the first

use.

• Immediately revoke access for any terminated or temporary users.
• Remove/disable inactive or unnecessary user accounts at least every 90 days.
• Communicate password procedures and policies to all users who have access to card

holder data.

• Do not use group, shared, or generic accounts and passwords.
• Change user passwords at least every 90 days.
• Require a minimum password length of at least seven characters.
• Use “Strong” passwords containing a combination of lower case letters, upper case letters,

and numeric. A strong password must be unique and not consist of common names or
places.

• Do not allow an individual to submit a new password that is the same as any of the last

four passwords used.