back to article PCI Council and X9 Committee to combine PIN security standards

The PCI Security Standards Council (PCI SSC) and financial services standards outfit the Accredited Standards Committee X9 have decided to combine forces on personal-identification-number-handling-rules. Today, both have their own standards, which is a pain for organisations like banks that follow rules set by both …

  1. Anonymous Coward
    Anonymous Coward

    Bring on the corrections to your reference...

    1. Alister Silver badge

      Yep, the last stanza should be:

      One ring to rule bring them all and in the darkness bind them.

  2. WonkoTheSane

    Obligatory XKCD

    1. Pascal Monett Silver badge

      Re: Obligatory XKCD

      Exactly what I was thinking of.

  3. DontFeedTheTrolls Silver badge

    If an XKCD is obligatory then please include it as a hyperlink.

    Instructions are in The Register Comments Guidelines

  4. MJB7 Silver badge

    To be fair

    This is an agreement between the people setting the standards. Both sides regularly update their standard. If they update it to be identical, then there will only be one standard. (Just like the BSI and DIN, and ANSI all have standards for the C programming language - they are just the *same* standard.)

  5. JimmyPage Silver badge

    About ... 30 years too late ?

    Fuck PINs. What we needs is a password standard ...

    minimum/maximum length

    defined character set

    defined complexity modifiers (numbers, punctuation, case)

    storage mechanism (hashed)

    recovery protocol (hashed URL with time limits and supplementary challenge)

    would be a good starting point.

    I've booked 2035 off, to read the first draft.

    1. Carpet Deal 'em Bronze badge

      Re: About ... 30 years too late ?

      There are far too many legacy systems to simply not consider PINs. As for a password standard, the USNIST has some recommendations on that front. The highlights:

      - All printing ASCII characters(space included) permitted; Unicode support preferable, but not required

      - Minimum of eight characters for chosen passwords(six characters for randomly generated ones)

      - Permitted password length of at least 64 characters

      - Checked against a blacklist

      - No complexity or rotation requirements

      The gory details are here.

  6. Anonymous Coward
    Anonymous Coward

    Overlapping standards compliance

    "The overlapping standards also make life hard for assessors who may consider an organisation's PCI compliance is not in order if they adhere to the X9 rules."

    Won't make much of a difference if your computer can be compromised by open a malicious email attachment or clicking on a malicious weblink.

  7. nagyeger
    Mushroom the darkness bind them

    I thought the whole thing about the one pin, was that assuming you don't want to be subject to the evil overlord, you needed to throw it into Mount Doom? (see icon for effectiveness >>>>)

    Now all we need to do is work out how you that to the customer services bod....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020