GRCWatch
Sign inStart free trial

PCI DSS 8.3.4: Lock Out User IDs After Maximum Failed Attempts

Account lockout policies are your first line of defense against brute force attacks targeting user credentials. PCI DSS 8.3.4 requires automatic lockout after no more than ten failed authentication attempts, forcing attackers to abandon password guessing strategies. Implementing this control reduces your risk exposure and demonstrates due diligence to auditors.

What this means

This control requires your systems to automatically disable a user ID after a maximum of ten consecutive failed login attempts. The lockout prevents attackers from using automated tools to guess weak passwords or test stolen credentials. Once locked, the account should remain inaccessible until an administrator or the legitimate user resets it through a secure process.

How to comply

  1. 1.Configure authentication systems to count failed login attempts per user ID
  2. 2.Set the lockout threshold to ten failed attempts or fewer
  3. 3.Implement automatic account lockout when the threshold is exceeded
  4. 4.Require administrative action or secure verification to unlock accounts
  5. 5.Log all lockout events with timestamps and user identifiers
  6. 6.Test lockout functionality across all systems storing cardholder data
  7. 7.Document your lockout policy and communicate it to users and administrators
  8. 8.Monitor and audit lockout events regularly for suspicious patterns

Evidence auditors look for

  • Authentication system logs showing failed attempt counts per user ID
  • Configuration screenshots demonstrating lockout threshold set to ≤10 attempts
  • Account lockout event logs with dates, times, and user identifiers
  • System documentation describing the lockout and unlock procedures
  • User communication materials explaining the lockout policy
  • Test results validating lockout activation at the configured threshold
  • Administrative unlock procedures and audit trail records
  • Security vulnerability scans confirming brute force protection

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates lockout policy deployment across your cardholder environment and aggregates failed-attempt logs from all systems, eliminating manual log review and reducing lockout compliance evidence collection from weeks to minutes.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 8.2.1 — Strong Cryptography for AuthenticationPCI DSS 8.2.3 — Passwords Encrypted During Storage and TransmissionPCI DSS 8.2.4 — Unique User IDs for All System UsersPCI DSS 8.5.4 — Removal or Disablement of Inactive User Accounts