[RESOLVED] PCI DSS 4.0 - Admin Password Management

Hi,
Just wondered if anyone knows of a mod that covers the latest password management measures – increased password length (from 7 to 12 minimum alphanumeric characters), maximum password lifetime of 90 days and potential to prevent re-use of passwords.

TIA

For future reference please read the forum rules before posting which you can find here viewtopic.php?t=200480

The best place to start is to check the marketplace which you can find here https://www.opencart.com/index.php?rout ... h=password

If you do not find anything perfect you can find the closest and ask the developer if they will do some paid custom work.
Alternatively you can post in the commercial section which you can find here viewforum.php?f=88 with all the details including the forum rules posted above.

I couldn't see any when I looked. I assume the most store owners are using written polices and ensuring users are adhering to them.

I would also be interested to know what others are planing on using to comply with parts 6.4.3 and 11.6.1 that require the payment/checkout page to be monitored. These requirements will be required by 1 April 2025.

The compliance is for organisations that collect and store credit card information.
Hopefully it will force online stores to only use systems that spend the money on security to request/collect/store such data.

by mona wrote: ↑

Fri Jan 31, 2025 1:51 am

The compliance is for organisations that collect and store credit card information.
Hopefully it will force online stores to only use systems that spend the money on security to request/collect/store such data.

Yes, PCI DSS v4.0 should force online stores to think more about security. It seems like the bigger payment providers are not requiring store owners to be fully compliant. However some payment providers are and compliance is actually required for anyone who takes card payments, even if they use a third party payment provider to do that. Even if you are just using PayPal you still need a PCI SAQ A for an online store, however they never seem to check this.

The SAQ A seems clear that the password requirements applies to online store even if they only redirect to the payment provider.

Note: For SAQ A, Requirement 8 applies to merchant webservers that host the page(s) that provides the address (the URL) of the TPSP’s payment
page/form to the merchant’s customers.

The same goes for part 6.4.3, that require all scripts be checked.

Note: For SAQ A, Requirement 6.4.3 applies to the page(s) on the merchant’s website(s) that provides the address (the URL) of the TPSP’s payment page/form to the merchant’s customers.

If using a iframe for the payment form then part 11.6.1 applies, which requires the checkout page to be checked at t least once every seven days to see if it's been tampered with.

Note: For SAQ A, Requirement 11.6.1 applies to merchants that include a TPSP’s inline frame (iframe) payment form on the merchant’s website.

As well as the now required quarterly external security scans.

Yes it is a move to secure credit card data that is collected on the site and stored in the database, this includes transmission of the data collected on the site and transferred to a third party as the transmission can be intercepted or tampered via a script, thus you must check regularly (and should be anyway).
This also includes any quick payment extensions on a product page, not just the checkout page. It also includes any data collected from the processor and returns the data and the data stored on the database.

It is particularly important for any site that allows uploads (including review images for example) to be checking their site daily even if they dont take payments.