Requirements

Simple password rules for PCI DSS Compliance

- User-level passwords must be changed at least every 60 to 90 days.
- Accounts that have system-level privileges must have a unique password from all other accounts held by that user.
- Passwords must not be transmitted over the Internet by e-mail or any other form of communication, without being encrypted.
- Passwords should be a minimum 6 to 8 characters in length, with a combination of upper- and lower-case alpha and numeric characters and special characters as well (e.g., !%@$)
- Passwords should never be written down or shared with anyone.

Download Free Payment Card Industry Data Security Standards (PCI DSS) Information Supplement: Requirement 11.3 Penetration Testing. Requirement 11: Regularly test security systems and processes

Download Page

This document provides guidance and requirements applicable to ASVs in the framework of the PCI DSS and associated payment brand data protection programs. Security scanning companies interested in providing scan services in conjunction with the PCI program must comply with the requirements set forth in this document and must successfully complete the PCI Security Scanning Vendor Testing and Approval Process.

Download Page

To be recognized as an ASV by PCI SSC, the ASV, ASV employees, and the ASVs scanning solution must meet or exceed the requirements described in this document and execute the “PCI ASV Compliance Test Agreement” attached as Appendix A (the “Agreement”) with PCI SSC. The companies that qualify are identified on PCI SSC’s ASV list on PCI SSC’s web site in accordance with the Agreement.

Download Page

To be recognized as a QSA by PCI SSC, QSAs must meet or exceed the requirements described in this document and execute the QSA Agreement with PCI SSC attached to this document as Appendix A (the “Agreement”).

Download Page