8.3.10 Additional requirement for service providers only: If passwords/passphrases are used as the only authentication factor for customer user access to cardholder data (i.e., in any single-factor authentication implementation), then guidance is provided to customer users including:

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

Guidance for customers to change their user passwords/passphrases periodically.
Guidance as to when, and under what circumstances, passwords/passphrases are to be changed.

Defined Approach Testing Procedures

8.3.10 Additional testing procedure for service provider assessments only: If passwords/passphrases are used as the only authentication factor for customer user access to cardholder data, examine guidance provided to customer users to verify that the guidance includes all elements specified in this requirement.

Customized Approach Objective

Passwords/passphrases for service providers' customers cannot be used indefinitely.

Applicability Notes

This requirement applies only when the entity being assessed is a service provider.

This requirement does not apply to accounts of consumer users accessing their own payment card information.

This requirement for service providers will be superseded by Requirement 8.3.10.1 once 8.3.10.1 becomes effective.

Purpose

Using a password/passphrase as the only authentication factor provides a single point of failure if compromised. Therefore, in these implementations, controls are needed to minimize how long malicious activity could occur via a compromised password/passphrase.

Good Practice

Passwords/passphrases that are valid for a long time without a change provide malicious individuals with more time to break the password/phrase. Periodically changing passwords offers less time for a malicious individual to crack a password/passphrase and less time to use a compromised password.

Sub Requirements

8.3.10.1 Additional requirement for service providers only: If passwords/passphrases are used as the only authentication factor for customer user access

purpose

Ensure MFA is implemented for all remote access to the CDE.

compliance strategies

MFA for all remote CDE entry points

typical policies

Remote Access Policy

common pitfalls

Partial MFA coverage

type

Technical Control

difficulty

Moderate

key risks

Remote CDE compromise

recommendations

Comprehensive MFA deployment

Eligible SAQ

SAQ-D SERVICE PROVIDER

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy

Please enable JavaScript to view the comments powered by Disqus.Alternatively, you can view comments at our Disqus forum.