Information on Security in PrismCore for PA-DSS 3.1

According to password complexity requirements for PCI 3.0:

• Passwords must not contain the user's entire account name value or entire display name value.
• The account name is checked in its entirety only to determine whether it is part of the password. If the account name is less than three characters long, this check is skipped.
• The display name is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the display name is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are less than three characters in length are ignored, and substrings of the tokens are not checked.

For example, the name "Erin M. Hagens" is split into three tokens: "Erin," "M," and "Hagens." Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" anywhere in the password.
Passwords must contain characters from three of the following categories:

• Uppercase characters
• Lowercase characters
• Base 10 digits (0 through 9)
• Non-alphanumeric characters: ~!@#$%^&*_-=`|(){}[]:;"'<>,.?/+

There are two areas where PrismCore software and servers interact with this requirement.

Server Component

In order for the PrismCore server to force adherence to complexity requirements, login attempts, expiration times, and other security related features, users must set the server up with password policy requirements. This is done via password policy that controls the servers running SQL. For information on how to set up and control this feature, Microsoft suggests the following:

{+}https://technet.microsoft.com/en-us/library/dn452420(v=ws.11).aspx+

Note: You will need to locate the information specific to the version of the operating system running on your server

PrismCore User / SQL User Component

• When a PrismCore user is created, the system automatically creates a corresponding SQL user.
• Beginning with PrismCore 27.3.2, all NEW users added to PrismCore are automatically set to "Enforce Password Policy" and "Enforce Password Expiration" in SQL when their PrismCore user is created. This means those users will be set up to adhere to the security policy set up on that server (see Server Component).
• For users created prior to PrismCore 27.3.2, if a manager would like their PrismCore users to adhere to the security policy set, they will need to contact IT Support. Support will then enable the SQL users to "Enforce Password Policy" and "Enforce Password Expiration".