PCI DSS Password Requirements

PCI DSS v4.0 Password Requirements

The Payment Card Industry Data Security Standard (PCI DSS) sets security requirements for any organization that processes, stores, or transmits credit card data. Version 4.0 updated password requirements significantly.

Requirement 8: Identify Users and Authenticate Access

Minimum Password Length

PCI DSS v4.0 increased the minimum password length:

• Requirement 8.3.6: Minimum 12 characters (increased from 7 in v3.2.1)
• If the system does not support 12 characters, the minimum is 8 characters

Complexity Requirements

Unlike NIST, PCI DSS does mandate complexity:

• Requirement 8.3.6: Passwords must contain both numeric and alphabetic characters
• Additional complexity (symbols, mixed case) is recommended but not strictly required

Password Rotation

• Requirement 8.3.9: Passwords must be changed at least every 90 days
• Requirement 8.3.7: New passwords cannot match any of the last 4 passwords

Account Lockout

• Requirement 8.3.4: Lock accounts after no more than 10 invalid access attempts
• Requirement 8.3.4: Lockout duration of at least 30 minutes or until admin unlock

Multi-Factor Authentication (MFA)

PCI DSS v4.0 expanded MFA requirements:

• Requirement 8.4.2: MFA for all access to the cardholder data environment (CDE)
• Requirement 8.4.3: MFA for all remote network access

Generating PCI-Compliant Passwords

A PCI DSS-compliant password generator should:

1. Generate passwords of 12+ characters
2. Include both letters and numbers at minimum
3. Use cryptographic randomness
4. Check that the password is not in the user's last 4 passwords
5. Pair with an MFA solution

Example Compliant Configuration

Length:     14 characters
Uppercase: Required
Lowercase: Required
Digits:    Required
Symbols:   Optional (recommended)