Frequently Asked Questions on Abacus Passcode Security

Q1) What is Account Information Security (AIS) and to whom does AIS apply?
Q2) What is Payment Card Industry (PCI) Data Security Standard?
Q3) What are the new requirements for Abacus passcode security?
Q4) What do I need to do if my staff shares the same user ID & passcode to sign-in to Abacus System?
Q5) What do I need to do if I currently press one of the PF key to sign-in to AbacusWhiz?
Q6) Why is this happening? No other GDS has the same restrictions.
Q7) What are the restricted words that cannot be used as passcodes?
Q8) How do I change my current passcode to meet the new requirements?
Q9) What should I do if I forget my passcode?
Q10) What resources are available if I want to learn more about Abacus Passcode Security?
Q11) What happens if I don't use my Login ID for a long period of time?
Q12) How will I know if I needed to change my current passcode to a new one?
Q13) What's the best way to prevent problems resulting from this change?
Q14) How do I clear or reset a passcode?
Q15) What are the production dates associated with the new passcode requirements?
Tips for Setting Up Passcode

Q1) What is Account Information Security (AIS) and to whom does AIS apply?

Account Information Security, or AIS, is a Risk Management program sponsored by Visa and run by Visa's members. The AIS program is a requirement for all entities participating in the Visa payment system i.e. those entities that process, store or transmit Visa cardholder account and/or transaction information, including merchants and service providers.

top

Q2) What is Payment Card Industry (PCI) Data Security Standard?

To establish common industry standards, Visa and MasterCard produced the Payment Card Industry (PCI) Data Security Standard - a common set of industry requirements to ensure the safe handling of Cardholder information. The PCI standard have been developed to set a 'minimum standard' in the marketplace with regards to the protection of cardholder's sensitive account and transaction information. Other global payment organizations have also endorsed the Standard and plan to adopt them as the framework for their respective programs.
 

top

Q3) What are the new requirements for Abacus passcode security?

i. Must have a minimum of 7 characters and a maximum of 8 characters
ii. Must contain at least one numeric and one alpha character
iii. Cannot contain a Q or Z
iv. Cannot reuse the last four passwords
v. No more than three repeating characters allwed (i.e. AAA)
vi. Cannot use banned or proper names/words (i.e. DALLAS)
vii. Must be changed every 90 days

Points to note:

• All passcodes will expire if not changed by May 30, 2006
• Users will be prompted on all passcode restrictions
• Users will be notified 10 days prior to passcode expiration

top

Q4) What do I need to do if my staff shares the same user ID & passcode to sign-in to Abacus System?

With the exception of robotics and applications, no users should share the same user ID and passcode. Request for individual EPR.
 

top

Q5) What do I need to do if I currently press one of the PF key in AbacusWhiz to sign-in to Abacus System?

The PF key should be de-activated to prevent unauthorized personnel from signing in to Abacus System without your permission.

top

Q6) Why is this happening? No other GDS has the same restrictions.

All GDS will have to comply, but each has negotiated their own timetable to respond.

top

Q7) What are the restricted words that cannot be used as passcodes?

The system contains more than 20,000 names/words that are restricted to be used as passcodes like words that are of offensive language. It should be noted that system changes the list on an irregular basis, and no further notification will be given for these updates. The aim of the database is to make people use more complex passcodes which are harder to break. Additionally, the list does not contain all names – but consider that the root of a word can cause the full word to fail. For example, PERS is invalid therefore PERSON would also be invalid as it contains the root PERS.

top

Q8) How do I change my current passcode to meet the new requirements?

i. Use your Tab key to move between fields in Abacus System sign-in mask. Use Shift + Tab to move backwards
ii. To change your passcode, input your current passcode
iii. Tab to the new passcode field, input your new passcode
iv. Hit the Enter key

Points to note:

• Ensure the new passcode that you enter meet all the new requirements
• You will be signed into the Abacus system and your passcode will be changed
• Your passcode will not appear on the screen for security purposes

top

Q9) What should I do if I forget my passcode?

Get your administrator to reset password. Please refer to Question 17 below on How do I clear or reset a passcode?

top

Q10) What resources are available if I want to learn more about Abacus Passcode Security?

User can refer to AbacusWhiz DRS page Y/AAI/PDT/P2 and Abacusspace Format Finder for the complete guideline and information on Abacus Passcode Security.

top

Q11) What happens if I don't use my Login ID for a long period of time?

If a user attempts to sign in into an EPR that has been inactive for 90 days or more, system will prompt you "INVALID ID". You will not be able to sign in, unless your EPR has been reset by the system administrator.

top

Q12) How will I know if I needed to change my current passcode to a new one?

Users will be prompted 10 days prior to the expiration of their current passcode up until the time when the passcode must be changed. When this happens, sign in your current passcode and add the new passcode (it should then be in compliance with the new Abacus Passcode Security requirement).

top

Q13) What's the best way to prevent problems resulting from this change?

Immediately ensure that ALL passcodes (either individual or in applications or robotic programs) are a minimum of seven characters in length. This will mean that no further passcode changes will be necessary until June 20, 2006.

top

Q14) How do I clear or reset a passcode?

Call Helpdesk.

Points to note:

• You must have the CREATE keyword in your EPR

top

Q15) What are the production dates associated with the new passcode requirements?

The production dates are as follows:

• 26 January 2006 - passcode length validation (all users changing passcodes must adhere to the new requirements)
• 02 February - users that sign into the system with a 6 character passcode will be displayed a warning message notifying them that effective 01 March all passcodes must be a minimum of 7 characters in length. All EPRs must have a passcode before they can be end transacted and activated
• 22 March 2006 - users with 6 character passcodes will be locked out until passcode is changed and invalid lockout after 6 invalid attempts will be initiated.
• 20 June 2006 - first date that all non-robotic users must change passcode

top

Tips for creating a strong password

A good password is not a password at all. Instead, it is a system for creating codes that are easy to remember but hard to crack. And by codes we do mean codes, plural, so that someone who finds out one of your passwords won't know them all. Here is one set of password guidelines to help you generate unguessable - but memorable - gibberish.

Step 1: Choose a core phrase. Start with a phrase that is at least five words long. It could be the first line of a song, a quotation, a book title—anything that sticks in your head. Draw your core password from that, perhaps by using the first letter of each word.

TCITH

These are the first letters of the book title The Cat in the Hat.

The payoff: This simple step protects you from someone who is running what's called a dictionary attack, in which every single word in the dictionary (and many proper names too) are tried until the right one is found. Computers can run through a dictionary attack in no time flat.

Step 2: Now mix things up by adding numerics that makes sense to you, so you don't have to write your system down.

TCITH168

TCI168TH

1TCI6TH8

The payoff: This step exponentially increases the amount of time it takes for someone who is running a password-cracking program that burns through every possible combination of characters until it finds the right one.

Keeping Your Passcode Secret:

• Use at least 7 - 8 characters.
• Use a combination of letters, numbers (0-9).
• Easy to remember but difficult for others to guess, and:
  • Not your login name, your spouse's name, or your birthday.
  • Not common words found in the dictionary, in any language. Hackers use sophisticated tools that can rapidly guess passwords that are based on words in the dictionary, in a variety of languages, and using words spelled backwards.
  • Not hard-to-remember. Random combinations of letters and symbols that must be written down to be remembered, can be misplaced, or found by others and used.
• Do not include spaces or international characters.
• Change your password every 90 days.
• Never share your password with anyone.
• Do not respond to any message that asks for your password.
• Don't store written passwords in your desk. If found, such a note, created for your convenience, can provide easy access to your computer for burglars.
• Never provide your password over e-mail even if a trusted company or individual requests it. Internet "phishing" scams might use fraudulent e-mail to entice you into revealing your user names and passwords so criminals can access your accounts, steal your identity, and more.

Help gauge the strength of your passwords with the password checker.