PCI DSS v4.0: Forced Password Changes and Zero Trust Architecture

Alastair Stewart
|
Senior Consultant at URM
|
PUBLISHED on
3 Jun
2024

You may never have heard the term ‘zero-trust architecture’; it is relatively new within the security landscape and, even if you have heard of it, you may be wondering what it has to do with v4.0 of the Payment Card Industry Data Security Standard (PCI DSS).  Well, within PCI DSS v4.0, the PCI Security Standards Council (PCI SSC) made a number of changes to the access control requirement, i.e., Requirement 8: Identify and Authenticate Access to System Components.  Many of these changes related to multi-factor authentication (MFA) and system/application accounts, which have already been discussed at length by much of the already published content on v4.0 of the PCI DSS (to learn more about the broader changes to MFA in PCI DSS v4.0, read our blog on PCI DSS v4.0 and Multi-Factor Authentication).  However, one of the smaller changes within the access control requirement could have significant consequences for organisations (depending on their environment), and this relates to zero-trust architecture.

Following on from our blog on PCI DSS v4.0: Network Security Controls, where we drilled down into the specifics of a smaller, but still impactful change in PCI DSS v4.0, this blog will explore an updated PCI DSS requirement which concerns forced password changes.

How have the requirements around forced password changes been updated in PCI DSS v4.0?

Under the old version 3.2.1, the PCI DSS mandated that all passwords must be changed at least every 90 days irrespective of the account, the access level, and other authentication systems – it simply stated that all passwords much be changed.

This has caused a great many discussions between PCI qualified security assessors (QSAs) and organisations over the years, as there are many security professionals who believe that the practice of forcing password changes is less secure due to the policy’s complexity and the inconvenience it imposes on users.  Also, many governmental advisory bodies have started to move away from this type of policy in recent times, leading to conflicts within organisations that need to meet several different security standards.  As such, a change to this requirement in the PCI DSS was necessary to bring it into line with current security standards and practices.

However, it’s not simply a matter of disabling the mandatory password changes, as the new Requirement 8.3.9 features two major changes: firstly, it now only applies to accounts using single-factor authentication, meaning that MFA accounts do not have to change their passwords at all, providing yet another reason to adopt MFA across the board.

Secondly, the Requirement now has two options for the remaining single-factor authentication accounts: mandatory password changes every 90 days, or ‘the security posture of accounts is dynamically analysed, and real-time access to resources is automatically determined accordingly.’  This second option is also known as zero-trust architecture, and the principle is detailed in one of the National Institute of Standards and Technology (NIST) Special Publications (SP 800-207), as are many of the security principles that the PCI DSS draws upon.

What is zero-trust architecture in PCI DSS v4.0?

Whilst the intricacies of zero-trust can get very technical, the underlying principle is relatively simple.  Essentially, you start from a baseline of no person or system is allowed access to anything i.e. ‘trust no-one’, then each individual access request is dynamically analysed in real-time to determine whether access should be granted for that request.

Zero-trust Architecture Diagram

This analysis will take in a wide range of data points to make its determination, including considerations such as: the device being accessed, the location of the access request, the user or systems requesting access, the time of the access request, the resources being accessed, the route taken from the request to the device, and the frequency of similar requests.  This allows each access request to be analysed based on its own merits and granted accordingly and, if a request is unusual, it could be an indicator that the account has been compromised and access will be denied by default.

Should you use zero-trust architecture to meet PCI DSS v4.0 requirements?

Zero-trust architecture may initially seem like an ideal option to adopt as it could be managed by a large autonomous system, however it is important to note that such an architecture requires the deployment of an application or service that is capable of providing an effective zero-trust access architecture, and these services are not particularly cheap or easy to configure.  These services also require a level of ongoing resourcing to ensure they continue to operate effectively, which could impact your IT department’s day-to-day costs and available time.   Meanwhile, you would need to account for these access systems within your disaster recovery and business continuity plans.

All of which is not to say that these types of zero-trust systems are not effective at securing access in a way that traditional access control cannot achieve, but to make you aware that there are a great number of considerations that should guide your decision to use such systems. Zero-trust systems are not for everyone, and some organisations will unfortunately still have to mandate periodic password changes because after all: sometimes the simplest solution is the best one.

How URM can help?

Understanding how best your organisation can meet the new and updated PCI DSS requirements and maintain PCI DSS compliance can be difficult without assistance.  However, URM’s extensive experience as a PCI Qualified Security Assessor Company (PCI QSAC) means we are ideally placed to help you navigate the new version of the Standard and support your transition to v4.0.  Our large team of PCI DSS consultants can offer a range of services on both sides of the certification process; we can provide a scoping service to help you define the most streamlined and appropriate certification scope, and can conduct a gap analysis of your current environment against the PCI DSS requirements to allow you to identify any areas of noncompliance.  If noncompliances are identified, URM’s PCI DSS consultant will be able to assist with any necessary implementation and remediation activities to ensure you can achieve and/or maintain compliance.

Meanwhile, when you are fully prepared, URM can support and facilitate your assessment by conducting a PCI DSS audit, which, if successful, will then result in certification to the Standard.  Depending on your organisation’s merchant/service provider level and the level of support you prefer, URM can offer a QSA supported self-assessment questionnaire (SAQ), where our assessor will lead your completion of and countersign the SAQ, support your completion of the SAQ in an advisory capacity, or, if your organisation is a Level 1 merchant or service provider, deliver a QSA-led PCI Report on Compliance (RoC).  URM’s QSAs can also work with your organisation to conduct a pre-audit readiness assessment, prior to the formal assessment, which will allow you to identify any issues that could prevent you from achieving PCI compliance.

Alastair Stewart
Senior Consultant at URM
Alastair is one of the most experienced and proficient Payment Card Industry Qualified Security Assessors (PCI QSAs) in the UK. He has completed in excess of one hundred successful reports on compliance (RoCs) against different PCI DSS versions along with supporting the completion of self-assessment questionnaires (SAQs).
Read more

Are you looking for help preparing for a PCI DSS assessment?

As a PCI QSA, URM can assist you with a range of services, including conducting gap analyses, helping you reduce your CDE scope and conducting penetration tests.
Thumbnail of the Blog Illustration
Information Security
Published on
5/8/2022
What Are the Merchant Levels

We are often asked, both by those new to PCI DSS and those who have been involved for a while....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
9/8/2022
PCI DSS: Pros and Cons of Outsourcing

In this blog, we address one of the big questions facing organisations which accept payment cards....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
11/4/2024
PCI DSS v4.0: Network Security Controls

URM’s blog explains the wording changes in Requirement of the PCI DSS v4.0, offering advice on how organisations can select and use the most appropriate NSCs.

Read more
Moving from our existing Pen Testers after 10 years was a difficult decision but I am really glad we did. It's been a pleasure working with you. The Pen Testing was extremely thorough and as hoped you were open to a collaborative deeper delve, far beyond what we were required to do for PCI DSS, which has been very useful.
Payment Service Provider
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.