The Friendly Help Desk and PCI DSS 2.0

ClearPath Forward3 minutes readAug 31st, 2012

“Good morning! May I have your name, please?”

“This is Jane User.”

“How may I help you, Jane?”

“I forgot my password. Can you tell me what it is?”

“I can’t do that, but I can reset it. Your new password is abc123. Have a nice day.”

“Good morning! May I have your name, please?”

“This is Joe User.”

“How may I help you, Joe?”

“I forgot my password. Can you reset it?

“Yes. Your new password is abc123. Don’t forget to change it when you log on. Have a nice day.”

Among other questionable practices in the above dialog, both user passwords were reset to the same value.

The Payment Card Industry Data Security Standard (PCI DSS), which governs entities that process credit cards, has a few words to say about the uniqueness of passwords. The current standard, version 2.0, requires unique initial passwords for new users, requires them to be changed at the first use, and requires that passwords must be set to unique values when they are reset.

If your help desk and system administrator routinely reset passwords to the same value for all users (including the universal favorites “a”, “aaa”, and “12345”), a simple procedural change can increase your protection against unauthorized logins – even if the PCI DSS doesn’t apply to you.

Compliance with the PCI DSS is mandated by the payment card brands, following the standard published by the Payment Card Industry Council, so you might initially think you could ignore the PCI DSS if you don’t process payment cards on your Unisys ClearPath server. However, PCI DSS is a respected standard whose guidelines include common sense recommendations that can help make any enterprise more secure.

The Payment Card Industry (PCI) Security Standards Council has defined twelve high-level data security requirements, each of which includes multiple lower level requirements. In addition to process-related requirements, such as the ones for password creation, change, and reset, the PCI DSS includes technical requirements.

Unisys ClearPath servers provide the necessary security features and flexibility for you to meet these technical requirements. Two white papers available on the Unisys web site have more information: