Top tips from URM about Password Management and Compensating Controls

Section 8.2.4 of the PCI DSS v3.2.1 specifies that passwords must be changed at least once every 90 days. In our day-to-day PCI DSS consultancy work, we are frequently asked whether there is any flexibility in extending the period when passwords need to be changed and whether ‘compensating controls’ can be used.

The argument often used for requiring less frequent password changes (and expounded in the NIST Special Publication 800-63B) is that of user frustration which leads to users trying to workaround these restrictions in a way that is counterproductive.

So, is there any flexibility for organisations?

The following guidelines on compensating guidelines are provided by the PCI Security Standards Council (SSC).  Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls.  Compensating controls must:

  • Meet the intent and rigour of the original PCI DSS requirement
  • Provide a similar level of defence as the original PCI DSS requirement;
  • Be ‘above and beyond’ other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and
  • Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.

What sort of compensating controls would suffice then?

Firstly, it must be stated there is no definitive answer to this question. It is down to the PCI Qualified Security Assessor to evaluate each situation and decide whether they have the confidence in the compensating control to deliver the rigour of the original requirement.

What we can do is look at areas where compensating controls could exist.

One area is password length and the assessor may be looking for users to be required to increase password length from the standard PCI DSS requirement of 7 characters

Another compensating control area could be closer monitoring of users’ activities, e.g. investigating any increased traffic from out of office/out of hours or accessing systems from unusual terminals.  In other words, closer monitoring of anything that would immediately signal a misuse of user credentials.  The assessor may also appraise the incident management procedures and investigate how quickly the organisation would be able to react to a breach situation and how knowledgeable the incident responders are with compromised user credentials?

In essence, any deviation from directly meeting the requirements of the PCI DSS needs to be thoroughly investigated to ensure that it does not negatively impact the overall security posture of the organisation. These deviations from the Standard need to be thoroughly documented in a Compensating Control Work Sheet  Through this process organisations will need to demonstrate how other controls meet the intent of the original requirement.