Section 10: Gateway Password Policy
User Accounts and Password Management Policy
Merchant User ID /Password Management requirements.
Every user must have a single unique user ID and a personal secret password for access to the gateway administration area .Your password should not be given out to anyone for any reason.
Each user ID must uniquely identify only one user. Shared or group user ID’s, are never permitted.
New employees will be issued a 1 time use password that they will be required to change upon logging in for the first time.
The system privileges of all users must be restricted based on need to know. Assignment of privileges will be based on job classification and function.
An employee’s user ID must be immediately terminated at the time that the employee ceases to provide services.
Each user ID must be unique, connected solely with the user to whom it was assigned, and must not be reassigned after an employee terminates their relationship.
Your employee requests to reset passwords should be requested in person.
System Password Policy:
User Passwords are required to change at least every 90 days.
Password Format:
All user passwords are required to be a minimum of 10 characters and maximum of 20
Must contain both letters and numbers
No special characters except for @ and +
Cannot be a previously used password and must differ with at least 3 characters from previous password
Cannot contain your user ID
Passwords are case sensitive
No Dictionary words allowed
Limit of 4 same character in row No keyboard patterns using letters close to each other longer than 4 characters
User Account Lockout
A user account will be locked out, in the event of 6 or more invalid login attempts. The account will remain locked out for 30 minutes or until the account is manually unlocked.
Session Timeout
If a logged in session is idle for more than 15 minutes, then the user is required to login again.
Inactive Admin Access
Administration passwords will be deactivated if not used for 90 days and can be reset online.