Bring on the corrections to your reference...
The PCI Security Standards Council (PCI SSC) and financial services standards outfit the Accredited Standards Committee X9 have decided to combine forces on personal-identification-number-handling-rules. Today, both have their own standards, which is a pain for organisations like banks that follow rules set by both …
Thursday 15th February 2018 11:31 GMT MJB7
To be fair
This is an agreement between the people setting the standards. Both sides regularly update their standard. If they update it to be identical, then there will only be one standard. (Just like the BSI and DIN, and ANSI all have standards for the C programming language - they are just the *same* standard.)
Thursday 15th February 2018 11:48 GMT JimmyPage
About ... 30 years too late ?
Fuck PINs. What we needs is a password standard ...
defined character set
defined complexity modifiers (numbers, punctuation, case)
storage mechanism (hashed)
recovery protocol (hashed URL with time limits and supplementary challenge)
would be a good starting point.
I've booked 2035 off, to read the first draft.
Thursday 15th February 2018 19:56 GMT Carpet Deal 'em
Re: About ... 30 years too late ?
There are far too many legacy systems to simply not consider PINs. As for a password standard, the USNIST has some recommendations on that front. The highlights:
- All printing ASCII characters(space included) permitted; Unicode support preferable, but not required
- Minimum of eight characters for chosen passwords(six characters for randomly generated ones)
- Permitted password length of at least 64 characters
- Checked against a blacklist
- No complexity or rotation requirements
Thursday 15th February 2018 15:58 GMT Anonymous Coward
Overlapping standards compliance
"The overlapping standards also make life hard for assessors who may consider an organisation's PCI compliance is not in order if they adhere to the X9 rules."
Won't make much of a difference if your computer can be compromised by open a malicious email attachment or clicking on a malicious weblink.
Thursday 15th February 2018 19:36 GMT nagyeger
...to the darkness bind them
I thought the whole thing about the one pin, was that assuming you don't want to be subject to the evil overlord, you needed to throw it into Mount Doom? (see icon for effectiveness >>>>)
Now all we need to do is work out how you that to the customer services bod....