Jump to content

Recommended Posts

This PDF will help your boss win the battle.

 

Section 8.5.9

Change user passwords at least every 90 days

For a sample of system components, critical servers, and wireless access points, obtain and inspect system configuration settings to verify that user password parameters are set to require users to change passwords at least every 90 days For Service Providers only, review internal processes and customer/user documentation to verify that customer passwords are required to change periodically and that customers are given guidance as to when, and under what circumstances, passwords must change

This PDF will help your boss win the battle.

 

Section 8.5.9

Change user passwords at least every 90 days

For a sample of system components, critical servers, and wireless access points, obtain and inspect system configuration settings to verify that user password parameters are set to require users to change passwords at least every 90 days For Service Providers only, review internal processes and customer/user documentation to verify that customer passwords are required to change periodically and that customers are given guidance as to when, and under what circumstances, passwords must change

 

You're trying to help my boss win the battle??  :shrug:

 

 

Debbie

 

I think he is plainly stating that your boss is the one who is on the right track.

 

My Lead Developer found PCI links thta say she is wrong.

 

I don't have the link outside of work.

 

Common sense says that rule applies to Internal Users like Admins and Developers?!

 

Name one e-commerce site that makes Customers re-set their passwords every 90 days...  ::)

 

 

Debbie

 

 

I know nothing about PCI and I missed the part about 'users' in your original post.

 

Going by the quote that kingPhilip posted:

 

verify that customer passwords are required to change periodically and that customers are given guidance as to when, and under what circumstances, passwords must change

 

It does indeed seem that your boss may be getting a few points mixed up.

You're trying to help my boss win the battle??  :shrug:

I'm just stating facts :)

 

Common sense says that rule applies to Internal Users like Admins and Developers?!

Yup, and as thorpe mentioned in the post above, your boss may be getting somethings mixed up. IMO what I get from the quote I posted is that any form of access to any user accounts that was not created for nor by the user, then that access account (whether that's a system password such as DBs, server passwords, customer service, etc.) will need to rotate passwords every 90 days to the PCI guidelines. In the end, it really depends on your definition of "users".

 

PS - also like thorpe said, I'm not PCI expert, and I'm not sure you'll find many of them on the forums. There might be one or two lingering around, but I don't know of any off the top of my head.

Thanks for the clarification.

 

If anyone knows of a more definitive source please feel free to share (so I can crush this lunatic female boss of mine).

 

I just glanced at his screen, but our Lead Developer showed me something that did seem to say that most of the PCI Requirements applied to Admins, DBA's, Customer Service, etc.

 

(Honestly I think the whole PCI thing is a scam with a small set of people getting rich off of lame standards.  And if you Google the topic, there are a lot of security experts that seem to agree with both me and our Lead Developer.)

 

MIS-information can make a computer system insecure as much as anything else.

 

Clearly this "Head of Security" has no clue about IT or Security...

 

Thanks guys!

 

 

Debbie

 

 

PCI is mostly common sense stuff (transaction and db servers need to be hardened/firewalled with specific isolation from general use network, cc data needs to be encrypted, use of https required etc.). 

 

There is no debate in this case.  You can easily verify this yourself by downloading the pci dss version 2 document.  The "change password" provision is part of the PCI DSS 2.0 document in section 8.5:

 

8.5 Ensure proper user identification and authentication management for non-consumer users and administrators on all system components as follows:

8.5.9 Change user passwords at least every 90 days.

 

 

 

 

PCI is mostly common sense stuff (transaction and db servers need to be hardened/firewalled with specific isolation from general use network, cc data needs to be encrypted, use of https required etc.). 

 

There is no debate in this case.  You can easily verify this yourself by downloading the pci dss version 2 document.  The "change password" provision is part of the PCI DSS 2.0 document in section 8.5:

 

8.5 Ensure proper user identification and authentication management for non-consumer users and administrators on all system components as follows:

8.5.9 Change user passwords at least every 90 days.

 

Can you provide a link?

 

(I always get mixed up reading up on PCI-Compliance because there are SO MANY sites and I never know what the "authoritative" site is?!)  :shrug:

 

 

Debbie

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.