Hi folks Like many card-processing organisations worldwide, we're going through the audit for PCI-S at the moment.
I'm being constantly harrased by our risk team to provide some means of control over user passwords - at first they were demanding that all passwords contained at least 10 characters, comprised of a mixture of upper and lower case, numerics and special characters, but after me explaining to them that they could only have upper case, numerics and only three special characters in an eight-character length, they revised their demands. Now they're insisting that I provide some sort of mechanism to enforce password complexity, ie, something that forces users to implement passwords that have at least a given number of characters, numerics, and special characters, with no repetitions etc etc. I don't really have the time to do this and I'm arguing that I don't see what benefit we will get from the considerable amount of effort that I will have to put into designing, coding and testing such a routine, and then there's the question of risk of malfunction to do subsequent operating system release changes etc. Basically, I don't want to do it, and I'm looking for good excuses not to. Have any of you gone through PCI accreditation and, if so, did you have to address this? Thanks Brian This e-mail message is for the sole use of the intended recipient(s)and may contain confidential and privileged information of Transaction NetworkServices. Any unauthorized review, use, disclosure or distribution isprohibited. If you are not the intended recipient, please contact thesender by reply e-mail and destroy all copies of the original message. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
