Diff: FAQ #1067
Can you provide clarification on the user passwords referenced in PCI DSS 8.5?
Earlier Version
2008-02-24 00:00:00 UTC
2008-02-24 00:00:00 UTC
Later Version
2015-09-10 19:49:24 UTC
2015-09-10 19:49:24 UTC
Removed
Added
PCI DSS rRequirement 8 addresses secure authentication requirements and requires that all passwords and other authentication credentials be securely managed.5 These requires all user passments apply to all non-consumer users and administrators. The term ?non-consumer user? refers to all individuals, excluding cardholders, words be securelho access sy manastem components, includinged employees, administrators, and third parties. These requirements apply to all non-consumer users (not the cardholder) and administrators, not to credentials supplied by applications or systems. If the passwords are not used by individuals to log on to systems or accounts, and appropriate controls exist to mitigate the risk to passwords, all the requirements in 8.5 may not apply. However, it is an information security best practice to securely manage passwords used by applications and systems, which typically have administrative rights.