8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts

PCI DSS v3.2.1 Questions and Answers Forum Implement Strong Access Control Measures
1

8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts.

8.1.6.a For a sample of system components, inspect system configuration settings to verify that authentication parameters are set to require that user accounts be locked out after not more than six invalid logon attempts.
8.1.6.b Additional testing procedure for service provider assessments only : Review internal processes and customer/user documentation, and observe implemented processes to verify that non-consumer customer user accounts are temporarily locked-out after not more than six invalid access attempts.

Without account-lockout mechanisms in place, an attacker can continually attempt to guess a password through manual or automated tools (for example, password cracking), until they achieve success and gain access to a user’s account.

Note: Testing Procedure 8.1.6.b is an additional procedure that only applies if the entity being assessed is a service provider.|
| — | — |