Payment Card Industry (PCI) Data Security Standards Practice Test

According to Requirement 8, what is the minimum complexity requirement for user passwords?

• A. 5 characters, either alphabetic or numeric
• B. 7 characters, both alphabetic and numeric characters
• C. 6 characters, both alphabetic and numeric characters
• D. 8 characters, either alphabetic or numeric

The correct answer is: 7 characters, both alphabetic and numeric characters

The correct answer indicates that the minimum complexity requirement for user passwords, as stated in Requirement 8 of the PCI Data Security Standards, is that passwords should be at least 7 characters long and must include both alphabetic and numeric characters. This requirement is in place to enhance security and reduce the vulnerability of user accounts to brute force attacks or other unauthorized access attempts. Requiring a minimum length of 7 characters ensures there is sufficient complexity within the password, making it notably harder for attackers to guess. The incorporation of both alphabetic and numeric characters further strengthens the password by increasing the potential character set used, thereby enhancing the overall randomness and unpredictability of the password. The other options do not meet the specified minimum complexity for passwords, either due to insufficient length or lack of character variety, making them less secure than what is mandated by the PCI standards. This principle of password complexity is crucial for maintaining a strong security posture within organizations that handle payment card information, helping to protect cardholder data and mitigate the risk of breaches.