8.2.4 Change user passwords/passphrases at least once every 90 days

PCI DSS v3.2.1 Questions and Answers Forum Implement Strong Access Control Measures
1

8.2.4 Change user passwords/passphrases at least once every 90 days.

8.2.4.a For a sample of system components, inspect system configuration settings to verify that user password/passphrase parameters are set to require users to change passwords at least once every 90 days.

8.2.4.b Additional testing procedure for service provider assessments only : Review internal processes and customer/user documentation to verify that:

  • Non-consumer customer user passwords/passphrases are required to change periodically; and
  • Non-consumer customer users are given guidance as to when, and under what circumstances, passwords/passphrases must change.

Passwords/passphrases that are valid for a long time without a change provide malicious individuals with more time to work on breaking the password/phrase.

Note: Testing Procedure 8.2.4.b is an additional procedure that only applies if the entity being assessed is a service provider.|