Skip to main content

PCI compliance password requirements - Knowledgebase / PCI Compliance - Foregenix Customer Support

PCI compliance password requirements

Authors list

As mandated by the Payment Card Industry Data Security Standards (PCI DSS) are clearly stated within Requirement 8 of Version 3.0 of the PCI DSS standards. Specifically, the PCI compliance password requirements are the following:

  • Require a minimum length of at least seven characters.
  • Contain both numeric and alphabetic characters.
  • Users to change passwords at least every 90 days.
  • Password parameters are set to require that new passwords cannot be the same as the four previously used passwords.
  • First-time passwords for new users, and reset passwords for existing users, are set to a unique value for each user and changed after first use
  • User accounts are temporarily locked-out after not more than six invalid access attempts.
  • Once a user account is locked out, it remains locked for a minimum of 30 minutes or until a system administrator resets the account.
  • System/session idle time out features have been set to 15 minutes or less.
  • Passwords are protected with strong cryptography during transmission and storage.