Complying with PCI DSS Requirement 8 deals with user accounts, passwords, and password management. This requirement is all about having unique, difficult-to-discover account information.
Complying with PCI DSS Requirement 8 deals with user accounts, passwords, and password management. This requirement is all about having unique, difficult-to-discover account information. For example, you must have your own unique ID and password on your laptop, with strong password cryptography. Never use generic account names, shared group passwords, or simple/vendor default passwords.
To strengthen passwords the minimum length is moving from 7 to 12 alpha and numeric characters. Depending on your applications, this could be a simple fix or it may require some code changes. So, start checking now to see if there are any systems in use in your CDE that would have difficulty with this future-dated requirement.
Another change in section eight around passwords pertains to service providers. Customers of service providers will now have to change their passwords every 90 days if you're using just a password for authentication (i.e., you are not using multi-factor authentication).
If you are a SAQ C or a SAQ D, there is a requirement that, after every 90 days, you have to reset your password.
In version 4.0.1, you either have to change your password every 90 days or you must have some other form of authentication other than just username and password.
If someone's already implemented multi-factor authentication (MFA) on their ecommerce server, they don't have to change passwords every 90 days in version 4.0.1.
These requirement changes help increase your authentication security on ecommerce redirect servers.
In addition to these changes, there are some other tips you can follow to ensure you have PCI compliant passwords.
PCI requirement 8 requires accounts to be locked after six consecutive failed login attempts. Accounts must stay locked for thirty minutes, or until a system administrator resets the account. This helps prevent several kinds of brute-force attacks. If an attacker only has six chances to guess the correct password, their attempts will likely fail. Once locked out, they will move on to an easier target.
More recently, password length, in the form of longer, memorable word strings have proven to be a more important security practice than the use of shorter complex passwords. An easy way to remember long, difficult to crack passwords is by using passphrases.
Passphrases are groups of words that might include spaces and punctuation (e.g., “The Best Is Yet To Come, I Hope!”). According to https://www.security.org/how-secure-is-my-password/, this sample passphrase would take a staggering 63 Tredecillion years to crack; whereas a shorter, but more complex password like “X8!aM@5D” would take only eight hours.
A passphrase should typically be at least 16 characters long and contain special symbols, upper and lower-case letters, and numbers, and doesn’t have to make sense grammatically. Passphrases are generally much easier to remember, but exponentially harder to crack than shorter complex passwords.
You likely know these, but a few basic guidelines for passwords include:
You can’t really afford to have weak passwords. Ultimately a password isn’t going to completely secure your data. What you really need is to use a combination of multi-factor authentication, encryption, and other protocols to make sure your data is secure. But having a strong password is a good start.
Security professionals recognize that passwords alone are no longer a sufficient method to secure access to systems that store critical data. But while passwords alone are insufficient to adequately secure your systems and the data that reside on them, or connected to them, they are still an important first line of defense. It is critical that you utilize passwords of sufficient length to make it statistically improbable that they could be brute forced or discovered as part of a dictionary attack in any reasonable amount of time.
PCI compliance evolves with modern technology and modern hacking techniques. New computers crack passwords faster than ever, so longer passwords and multi-factor authentication are designed to protect you.
Remembering that PCI DSS is a protection for your business and is intended to keep you safe from threat actors, can help you frame PCI compliance as a positive experience instead of a checklist item.
You will need to be compliant with PCI DSS 4.0.1 requirement (ever since March 31, 2025).
.svg)
