Docs Illinois State

PCI-Compliant Password Procedures

PCI DSS Standard

The PCI DSS requirements mandate the communication to all PCI-compliant users the:

  • Guidance on selecting strong authentication credentials
  • Guidance for how users protect their credentials
  • Instructions to not reuse passwords
  • Instructions to change possibly compromised passwords

9.2.2 Password Procedure

Illinois State University password policy is set as part of the Illinois State University Policies & Procedures, Section 9 Information Technology. 9.2.2 Password Procedure (http://policy.illinoisstate.edu/technology/9-2-2.shtml) provides guidance on selecting strong credentials by defining what must or must not be contained in a password. Visit the linked Policy page for the most current ISU Password Procedures.

The following standards are current as of the time of writing and continue to apply to PCI-compliant systems:

  • Passwords must be at least 10 characters
  • Passwords must contain an uppercase letter, a lowercase letter, and a number
  • Passwords may contain punctuation or other special characters
  • Passwords must not contain your first name, last name, or University Logon ID (ULID)
  • Passwords must not contain your birthday
  • Passwords are case sensitive
  • Passwords must not be reused for four consecutive changes
  • Users are prohibited from sharing or allowing another individual to use their password
  • All temporary passwords must be changed at first logon
  • Default passwords will not be used on any University system
  • If an account or password is suspected to have been compromised, report the incident to the Technology Support Center and immediately change all associated passwords
  • If a breach occurs the offending account will be automatically locked and the password will need to be reset

PCI Password Procedure

Additional standards apply to PCI DSS systems that may differ from or supplement the 9.2.2 Password Procedure. The following standards are current as of the time of writing and also apply to PCI-compliant systems:

  • All users must be assigned unique IDs before being allowed to access system components or cardholder data
  • Access is immediately revoked for terminated users
  • Inactive user accounts are disabled within 90 days
  • Six invalid attempts result in account lockout for at least thirty minutes or until an administrative unlock
  • Fifteen minutes of inactivity requires re-authentication
  • Passwords must be changed at least every 90 days
  • Virtual terminals (laptops and desktops) must have the active session locked when not attended by the currently-authenticated employee
  • All non-console remote access into the PCI DSS environment is secured through multi-factor authentication (MFA)
  • Non-console remote access into the cardholder data environment is forbidden, and multi-factor authentication (MFA) for such remote access is not provided

Vendor Access Procedure

In order to facilitate remote access to the PCI environment for remote support, vendors may connect to the PCI compliant environment by having an ISU administrator join a remote support session. The administrator will be present for the duration of the remote session to monitor vendor access and actions. ScreenConnect (screenconnect.illinoisstate.edu) is required for use by ISU personnel to provide vendor remote access. 

Passwords and remote access are not provided to vendors.