PCI Requirement 8.2.6 – Set Passwords for First-Time Use and Upon Reset to a Unique Value

PCI Requirement 8.2.6 states, “Set passwords/passphrases for first-time use and upon reset to a unique value for each and change immediately after first use.” There are two elements to PCI Requirement 8.2.6 compliance. First, whenever a new account is being set up or reset, it needs to be given a unique value. Why? The PCI DSS explains, “If the same password is used for every new user, an internal user, former employee, or malicious individual may know or easily discover this password, and use it to gain access to account.”
The second step is to immediately change the password after first use. Consider this scenario: a member of administrative staff has set the password for a new account and has provided the password to the end-user. Now, two people know that password. This is why PCI Requirement 8.2.6 requires users to immediately change the password after first use.
During an assessment, your organization’s password procedures will be examined and security personnel should be observed to ensure that passwords/passphrases for first-time use and upon reset have been set to a unique value.
Stay Connected

More Free Resources

About Us
KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks.