The PCI Security Standards Council recently announced the latest revision of the Payment Card Industry Data Security Standard. According to the Security Standards Council, this new version – version three – has been designed to “help organisations take a proactive approach to protect cardholder data that focuses on security, not compliance”.
One thing that’s really encouraging to see is that poor password security practices have been highlighted as a key driver for change. The new standard calls out the importance of changing default passwords for application/service accounts, as well as user accounts, to address gaps in basic password security practices that are leading to compromises.
As we continue to see privileged account credentials and passwords as primary targets in almost all major breaches, it’s great that this latest version of the standard is taking steps towards addressing this crucial part of the problem. The proposed changes state that revised password policies should include guidance on “choosing strong passwords, protecting their credentials, changing passwords on suspicion of compromise”.
While this is certainly a step in the right direction, I would argue that we need to go further in order to adequately protect these extremely powerful credentials. Rather than waiting for suspicious activity before taking action, organisations should arm themselves with the best possible defence by establishing a centrally managed privileged account security policy. This will allow organisations to determine how regularly passwords need to be changed and can allow users to easily set, manage and monitor password security from one single interface.
By simplifying the password management process and giving control back to the security, risk and audit teams, companies can be sure that they are not only compliant with PCI DSS v3.0, but also that they are doing everything they can to proactively protect their customers’ payment card data.