Assessing and strengthening password and authentication policies is one significant change in PCI DSS v4.  Not only are requirements more stringent, they also address securing remote access, a path used by many hackers to infiltrate systems in the past.

Once v4 becomes the Standard, merchants must:

  1. Require multifactor authentication for all users accessing cardholder data.  In versions past, multifactor authentication was required only for administrators who access systems related to processing or cardholder data. The newer version will require multifactor authentication for any account that has access to cardholder data.
  2. Change user’s passwords at least every 12 months, and any time that a compromise is suspected.
  3. Require that passwords be at least 15 characters in length and include both numeric and alphanumeric characters.  Prospective passwords will also need to be compared against a list of passwords that are known to be compromised.
  4. Review access privileges every six months to confirm that only people who specifically need access to cardholder data have permission.
  5. Enable vendor or third-party accounts only as needed and monitor them regularly while in use.

Merchants will not be required to comply with these changes until March 31, 2024, when v4 becomes the only standard, but there’s no reason not to put these in place now. Each one of these requirements increases security to help prevent a compromise.