|
1 | 1 | # Magento 2 PCI DSS 4.0 Compatibility |
2 | 2 |
|
3 | | -A Magento 2 module to bring it in-line with the [PCI DSS 4.0 requirements](https://east.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss), with changes including: |
4 | | -* Automatic disabling of admin accounts with 90 days of inactivity. |
5 | | - * Functionality added via new cron job that runs once per day. |
6 | | -* Restriction of admin session timeout to be no more than 15 minutes. |
7 | | -* Restriction of admin lockout functionality: |
8 | | - * No more than 10 attempts before lockout. |
9 | | - * Lockout duration of no less than 30 minutes. |
10 | | -* Enforce than admin passwords must contain at least 12 characters. |
| 3 | +A Magento 2 module to bring the use of admin accounts in-line with the [PCI DSS 4.0 requirements](https://east.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss), with changes covering the following requirements: |
| 4 | +* 8.2.6 |
| 5 | + * Inactive user accounts are removed or disabled within 90 days of inactivity |
| 6 | +* 8.2.8 |
| 7 | + * If a user session has been idle for more than 15 minutes, the user is required to re-authenticate to re-activate the terminal or session. |
| 8 | +* 8.3.4 |
| 9 | + * Invalid authentication attempts are limited by: |
| 10 | + * Locking out the user ID after not more than 10 attempts. |
| 11 | + * Setting the lockout duration to a minimum of 30 minutes or until the user’s identity is confirmed. |
| 12 | +* 8.3.6 |
| 13 | + * If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity: |
| 14 | + * A minimum length of 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters). |
| 15 | + * Contain both numeric and alphabetic characters |
| 16 | + |
| 17 | +The changes invovled for each requirement are as follows: |
| 18 | +* 8.2.6 |
| 19 | + * A new cron job (scheduled once per day) will automatically make any account that has not logged in for 90 days inactive |
| 20 | +* 8.2.8 |
| 21 | + * The configuration setting in admin for idle timeout has been modified to only accept values less than or equal to 900 seconds (15 minutes). |
| 22 | +* 8.3.4 |
| 23 | + * The configuration setting in admin for the number of incorrect login attempts before an account is locked has been modified to only accept values less than or equal to 10. |
| 24 | + * The configuration setting in admin for the time an account is locked for has been modified to only accept values greater than or equal to 30. |
| 25 | +* 8.3.6 |
| 26 | + * The minimum number of characters a password must have has been increased from 7 to 12. |
11 | 27 |
|
12 | 28 | ## Installation |
13 | 29 | ```shell |
|
0 commit comments