The company I currently work for is undertaking a PCI/DSS project around it's store back office and POS systems.
One of the issues we're facing is how to meet the requirements for logins for store cashiers while at the same time meeting some of the base level PCI/DSS requirements.
In specialty retail, cashiers tend to have high turn-over rates (as compared to the broader workforce of the company) and the desire is usually to facilitate speed at the cash wrap. These seem to be contradictory goals with the comlexities a more stringent security mechanism will bring to bear.
We're requiring a minimum of 8 characters and any three of the following four entropy sets:
- upper case characters
- lower case characters
- numbers
- symbols
Passwords will expire in 90 days and after 5 tries the password will be locked out for 15 minutes or until reactivated by a system admin.
While secure, I think we're getting carried away a bit on the password rules. We're also making user names somewhat more difficult as well. Today cashiers use their payroll numeric id as a cashier id. In future they will use their first initial last name.
Are we being too draconian with our security measures at POS? PCI/DSS compliance is important, but are simple logins at the POS really not supported by the standard? I should note that our POS and back office systems are integrated in such a way that the logins to POS and the back office are not separate and that, with the right permissions, credit card data is accessible via the back office.
Thanks,
SCB
