PCI Council And Passwords: Do As We Say, Not As We Do

The council's own passwords wouldn't pass PCI rules. The PCI Council has never been a stranger to irony. But its internal password procedures—the ones that protect the PCI Standard itself (literally the Word document version of the standard)—may be taking the encrypted irony cake. Those procedures actually violate at least four PCI requirements, plus a few standard security rules.

First, to be fair, what's being protected is not especially sensitive. Specifically, the password is not intended to keep out prying eyes. Rather, its sole purpose seems to be to keep meddling fingers away. The Council apparently doesn't want anyone out there to be able to edit the standard and then to produce the modified file as proof of a particular position. The password often frustrates people who have to work with the document, though, because it prevents them from copying a section and forwarding that text to someone.

But in an attempt to protect the integrity of the document—which tells retailers how to maintain payment card security, including, deliciously, rules for setting passwords—the Council decided to lock it down before posting it on the PCI Web site. PCI's rules require passwords to be changed every 90 days, prohibit group/shared/generic passwords and require passwords to be at least seven characters long and contain both numeric and alphabetic characters.

Additional rules, typical for any security shop, include prohibiting passwords that are in the dictionary and certainly ones that are easily guessable. And yet, the password for the PCI DSS document seems to violate the four password rules contained in its words (that's about as quintessentially ironic as anything could get), in addition to the dictionary and guessable rules. It's—wait for it—pcidss.

When one QSA was asked about the password, he guessed it on his first try—once he was told that it was quite guessable. He then tried the same password on some PCI FAQs, and it worked. (Same password for multiple files? That's got to be in somebody's password rules somewhere.)

As mentioned earlier, these documents don't include credit card numbers or other sensitive information. But if the decision is made to lock them down, there's presumably a reason. If the concern is that QSAs or merchants can change the document, then the Council needs to choose a password that will indeed create the desired protection.

That said, another unwritten rule is that passwords need to be changed the moment a breach occurs or the password otherwise gets out. StorefrontBacktalk's PCI Columnist, Walt Conway, and I have a bet on how long it will take the PCI Council to change its password after this story is published. Want a piece of the action?