8.3.5 If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they are set and reset for each user as follows:

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

Set to a unique value for first-time use and upon reset.
Forced to be changed immediately after the first use.

Customized Approach Objective

An initial or reset password/passphrase assigned to a user cannot be used by an unauthorized user.

Defined Approach Testing Procedures

8.3.5 Examine procedures for setting and resetting passwords/passphrases (if used as authentication factors to meet Requirement 8.3.1) and observe security personnel to verify that passwords/passphrases are set and reset in accordance with all elements specified in this requirement.

Purpose

If the same password/passphrase is used for every new user, an internal user, former employee, or malicious individual may know or easily discover the value and use it to gain access to accounts before the authorized user attempts to use the password.

purpose

Use MFA for all remote access originating from outside the entity's network.

compliance strategies

MFA for external connections

typical policies

External Access Policy

common pitfalls

External partners not required to use MFA

type

Technical Control

difficulty

Moderate

key risks

External threat actors bypassing controls

recommendations

Enforce MFA for all external access

Eligible SAQ

SAQ-A
SAQ-A-EP
SAQ-C
SAQ-D MERCHANT
SAQ-D SERVICE PROVIDER

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy

Please enable JavaScript to view the comments powered by Disqus.Alternatively, you can view comments at our Disqus forum.