What are the PCI DSS Password Requirements?

Published September 23, 2020 • 2 min read

The PCI DSS compliance password requirements are mandated by Requirement 8 of the Payment Card Industry Data Security Standard (PCI DSS). Password compliance plays a key role in the PCI standards because it dictates the password complexity necessary to help an organization better defend its systems against unauthorized access. 

What Are the PCI Password Requirements?

To be PCI compliant, organizations must follow these password requirements:

  • Passwords/passphrases must have a minimum length of seven characters.
  • Passwords/passphrases must contain both numbers and alphabetic characters.
  • Users are required to change passwords/passphrases at least every 90 days.
  • Password/passphrase parameters must be set to require the new password/passphrase to be different from the previous four passwords/passphrases.
  • First-time passwords/passphrases for new users and reset passwords/passphrases for existing users must be unique to each user and changed after the first use.
  • Limit repeated access attempts by locking out the user ID after not more than six attempts. 
  • Once a user is locked out of his account, the account remains locked for a minimum of 30 minutes or until a system administrator resets the account.
  • Vendor-supplied defaults for system passwords/passphrases are not allowed.
  • Passwords/passphrases must be encrypted during transmission and storage.

The PCI DSS password requirements include a minimum level of complexity and strength so that they can be met by all types of companies using a variety of technologies. 

The PCI Security Standards Council, which developed the PCI standards for compliance, encourages enterprises to implement stronger controls or additional security measures to meet their security needs.

The PCI DSS allows companies to implement controls other than those defined in the standard, including those defined by the National Institute of Standards and Technology Special Publication (NIST) 800-63, as long as those controls follow PCI password policy.

NIST SP 800-63 provides requirements, recommendations, and guidance for the use of memorized secrets, such as PINs and passwords, to authenticate digital identity. 

What is PCI DSS?

The PCI DSS is an information security standard for companies that handle credit cards from the major card brands. The PCI DSS requirements aim to ensure that all companies that process, store, or transmit credit card data maintain secure environments.

PCI compliance is a must for every entity that accepts one or more of the major payment card brands—Visa, Mastercard, American Express, Discover, or JCB. PCI DSS lists 12 requirements:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Protect all systems against malware and regularly update anti-virus software or programs. 
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need-to-know.
  8. Identify and authenticate access to system components. 
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security for all personnel.

Within each requirement are directives—281 in all.

What is PCI Compliance?

PCI compliance refers to the technical and operational standards that organizations are mandated to follow to protect and secure cardholder data that are transmitted through card processing transactions. 

Every merchant and service provider that handles cardholder data must have a risk assessment performed to show that they adhere to the 12 data security standards of the PCI DSS. 

Under the PCI DSS requirements, any merchant using a service provider must monitor the PCI compliance of that vendor.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

See ZenGRC in action!

Get a demo