We suggest the PCI Compliance Options be set as shown below.
- Number of failed login attempts after which a user account must be suspended: The number of login attempts that a user is allowed to make using an incorrect password before X-Cart automatically suspends their account. For compliance with PCI Data Security Standard, set this value to 6.
- Lockout duration in minutes (Leave empty if you do not want to automatically re-enable automatically suspended users): The time period for which a user must remain suspended after having been automatically suspended by the system after a number of failed login attempts. For compliance with PCI Data Security Standard, set this value to 30 minutes or leave the field empty.
- Number of days of inactivity after which an administrator account must be suspended (Set to 0 or leave empty if you do not wish to suspend unused administrator accounts): The number of days that an administrator account may remain inactive before getting automatically suspended by X-Cart. For compliance with PCI Data Security Standard, set this value to 90 days.
- Use password strength check: This option allows you to enable password strength check for passwords created by the users of your store. If this option is enabled, every time a user creates a new password for their account, X-Cart will perform a check to ensure that this password contains both numeric and alphabetic symbols and is no less than 7 symbols in length. If this option is disabled, no such check will be performed. For compliance with PCI Data Security Standard, enable this option.
- Number of days after which non-customer users must be requested to change their password: The number of days since the user's most recent login after which X-Cart must request the user to change their password. This setting is relevant only for non-customer users (administrators, providers). For compliance with PCI Data Security Standard, set this value to 90 days.
- Do not allow a user to submit a new password that is the same as any of the last four passwords they have used: This option helps you ensure that users who are requested to change their password will change their password to something new (not a password they have already used). For compliance with PCI Data Security Standard, enable this option.