PCI DSS 8.6.3: Protecting System Account Passwords Against Misuse
System and application account passwords are prime targets for attackers seeking unauthorized access to critical infrastructure. PCI DSS 8.6.3 requires organizations to implement controls that prevent password misuse, ensuring that administrative and service accounts remain secure throughout their lifecycle. Meeting this requirement is essential for maintaining cardholder data security and avoiding compliance violations.
What this means
PCI DSS 8.6.3 mandates that all passwords used by system and application accounts—such as database administrators, system administrators, and service accounts—must be protected through technical and procedural controls. This means passwords cannot be stored in plaintext, shared across multiple users, or accessed by unauthorized personnel. The control ensures that only legitimate account owners can authenticate and that password compromise is quickly detected.
How to comply
- 1.Implement strong password hashing algorithms (bcrypt, PBKDF2, or Argon2) for all stored account passwords
- 2.Enforce multi-factor authentication (MFA) on all system and application accounts with administrative privileges
- 3.Restrict password access to authorized personnel only, using role-based access controls
- 4.Encrypt passwords during transmission using TLS 1.2 or higher
- 5.Conduct quarterly reviews of system account access and remove inactive accounts
- 6.Document a password management policy covering complexity, rotation, and storage requirements
- 7.Monitor account logins and failed authentication attempts for suspicious activity
- 8.Use vault or secrets management tools to centralize and audit password storage
Evidence auditors look for
- Documented system account password policy approved by management
- Password hashing algorithm specifications and implementation documentation
- MFA configuration records for administrative accounts
- Access logs showing password changes and administrative activities
- Secrets management tool configuration and audit trails
- Password encryption certificates and TLS configuration details
- Quarterly account access reviews with sign-off documentation
- Security monitoring logs for failed authentication attempts and account lockouts
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates system account password policy enforcement and generates compliant password storage documentation, eliminating manual tracking and reducing the time spent on password protection audits.
See how GRCWatch handles this control automatically
Start free trial