Section 3.1 of the Visa Payment Application Best Practices (PABP) states:
Test the application to verify that unique user names and complex passwords are required for all administrative access and for all access to cardholder data, in accordance with PCI DSS requirement 8.1, 8.2, and 8.5all.
I am in the process of modifying the jPOS-ee ui (eeweb3) to support these requirements, as well as to have them be set as configurable values to implement your organization security polices. We use some of the jPOS-ee eeweb3 module in some of our payment solutions, notably our OLS.Switch
The development and testing in ongoing, but I wanted to give a brief synopsis of the changes that mostly leverage the used of User properties and SysConfig properties:
Flag to set a user account Status: Active || Inactive
- Ability to force a user to require a password change on their next login
- Password minimum length, Password change interval
- Password Complexity options (based on required use of # of character classes (Upper, Lower, Numeric, Special, or required # of each type))
- Password History (configurable number of passwords to check)
- Account Lockout (and configurable duration)
After I’m done coding and testing I’ll provide the code to jpos.org to merge into jpos-ee svn codebase.