E-Commerce
PCI-Compliant Password Procedures
Last modified 4/17/2024
PCI DSS Standard
The PCI DSS requirements mandate the communication to all PCI-compliant users the:
- Guidance on selecting strong authentication credentials
- Guidance for how users protect their credentials
- Instructions to not reuse passwords
- Instructions to change possibly compromised passwords
Illinois State University Password Policy
University-affiliated individuals are required to follow section 9.2.2 of the University Policies and Procedures when creating a new password. These guidelines include the following:
- Passwords are case-sensitive
- Passwords must be at least 10 characters
- Passwords must not contain your birthday
- All temporary passwords must be changed at first login
- Passwords must not be reused for four consecutive changes
- Default passwords will not be used on any University system
- Passwords may contain punctuation or other special characters
- Passwords must contain an uppercase letter, a lowercase letter, and a number
- Passwords must not contain your first name, last name, or University Logon ID (ULID)
- Users are prohibited from sharing or allowing another individual to use their password
- If a breach occurs the offending account will be automatically locked and the password will need to be reset
- If an account or password is suspected to have been compromised, report the incident to the Technology Support Center and immediately change all associated passwords
PCI Password Policy
The following guidelines are additional password standards that apply to accounts used on PCI DSS Systems:
- Inactive user accounts are disabled within 90 days
- Passwords must be changed at least every 90 days
- Access is immediately revoked for terminated users
- Fifteen minutes of inactivity requires re-authentication
- Six invalid attempts result in account lockout for at least thirty minutes or until an administrative unlock
- All users must be assigned unique IDs before being allowed to access system components or cardholder data
- All non-console remote access into the PCI DSS environment is secured through multi-factor authentication (MFA)
- Virtual terminals (laptops and desktops) must have the active session locked when not attended by the currently authenticated employee
- Non-console remote access into the cardholder data environment is forbidden, and multi-factor authentication (MFA) for such remote access is not provided
Vendor Access Procedure
To facilitate remote access to the PCI environment for remote support, vendors may connect to the PCI-compliant environment by having an ISU administrator join a remote support session. The administrator will be present for the duration of the remote session to monitor vendor access and actions. ScreenConnect (screenconnect.illinoisstate.edu) is required for use by ISU personnel to provide vendor remote access.
Passwords and remote access are not provided to vendors.