As we examine more of the requirements included in the Payment Application Data Security Standard, we will hopefully reveal more areas that non-compliant businesses can hope to focus on. The third requirement, according to this document on Version 3.1 of the Standard, mandates applications to "provide secure authentication features." As with the other requirements included, this one lists multiple guidance points regarding what is and isn't acceptable for these applications.
Several of these points particularly concern proper password and login use. As the source states, default passwords give outside agents the chance to compromise a system, as do weak or inefficient ones.
Though the document outlines several factors that make a password strong, it also focuses on the need for regular changes. Going for long periods of time without updating a password leaves the application less secure, and users should also receive regular prompts to change their passwords.
"The application must enforce the changing of all default application passwords for all accounts that are generated or managed by the application, by the completion of installation and for subsequent changes after installation," the requirement states. "This applies to all accounts, including user accounts, application and service accounts, and accounts used by the vendor for support purposes."
However, although compliance with PADSS is important, it may be worth examining what makes a strong replacement password. A Security Intelligence article recently noted that it's not enough to solely change passwords regularly: the new ones have to be changed in significant ways. Prompting a password change in the wake of a known compromise also doesn't erase possible damage already done.
Be sure to visit this blog readily for more details on what each PADSS requirement entails. Our next post in this series will look at log payment application activity. You can read our article on the second requirement here.