PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Reference Content: This is a copy of content from the PCI Security Standards Council FAQ database, preserved for tracking changes over time.
View Original →
FAQ #1072 Published

What is the purpose of requiring account lockout, per PCI DSS Requirements 8.1.6 and 8.1.7?

The intent of PCI DSS Requirement 8.1.6 and 8.1.7 is to prevent a malicious user from gaining access to users' accounts, by continually trying to guess a user's password over and over. The lockout occurs after no more than six consecutive failed login attempts, and remains in place for at least 30 minutes or until reset by the administrator.  These lockout parameters are the minimum to be implemented; more stringent parameters may be used.Note: PCI DSS Requirement numbers refer to PCI DSS version 3.

View original on PCI SSC website View all versions Back to recent changes

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.