As mandated by the Payment Card Industry Data Security Standards (PCI DSS) are clearly stated within Requirement 8 of Version 3.0 of the PCI DSS standards. Specifically, the PCI compliance password requirements are the following:
- Require a minimum length of at least seven characters.
- Contain both numeric and alphabetic characters.
- Users to change passwords at least every 90 days.
- Password parameters are set to require that new passwords cannot be the same as the four previously used passwords.
- First-time passwords for new users, and reset passwords for existing users, are set to a unique value for each user and changed after first use
- User accounts are temporarily locked-out after not more than six invalid access attempts.
- Once a user account is locked out, it remains locked for a minimum of 30 minutes or until a system administrator resets the account.
- System/session idle time out features have been set to 15 minutes or less.
- Passwords are protected with strong cryptography during transmission and storage.