Compliance failure can cost you between $5,000 and $100,000 a month in fines. Beyond penalties for lost money, you will lose your ability to process payments altogether. However, compliance isn’t about not getting punished, it’s about creating real security that really protects your customers and your reputation. Here’s what PCI DSS 4.0 says about passwords: Minimum length password for all accounts is 12 characters (increases to 15 due by 2025), Password change is required (90 days) mandatory, with multi-factor authentication required for all cardholder data access, Brute force attack is in place to avoid. These requirements are a substantial change from previous versions and reflect up-to-date threat landscapes.

Throughout this guide, we’ll help break down every password requirement in PCI DSS 4.0, who has to comply with the requirements, and practical strategies for implementation. In addition, we’ll discuss the expanded requirements for MFA, how to address legacy systems, and some best practices for those who want to do more than just meet the minimum requirements to comply. By the end, you will have a clear picture as to what your business needs to do.

What is PCI DSS and Why Do Password Requirements Matter?

The Payment Card Industry Data Security Standard (PCI DSS) is the global security standard, which is administered by the PCI Security Standards Council. This council involves some of the major players, such as Visa, Mastercard, American Express, Discover and JCB. Its main goal is to secure credit and debit card transactions from theft and fraud.

PCI DSS Requirement 8is the specific focus on identifying and authenticating access to the system components. Password requirements are of the utmost importance because broken passwords are the top cause of data breaches. Attackers often use credential stuffing, brute force and rainbow tables to abuse weak authentication. Because of this, the Council revised these standards to reflect the contemporary threat landscape and no longer confined itself to simple passwords, but instead multi-layered defense strategies.

• Understanding PCI DSS 4.0: PCI DSS 4.0 is a great evolution from version 3.2.1. The overarching objective is still protecting cardholder data (CHD), but the new standard makes it more flexible by having “Customized Approaches” in addition to the more traditional “Defined Approach.” One dramatic change in 4.0 is the emphasis on Continuous Compliance instead of a “point-in-time” annual check. Therefore, it is important for business owners to ensure that password policies and authentication mechanisms are effective 24/7/365, not only when an audit is in the window. Security has to be an ongoing process and not a yearly barrier..
• The Critical Role of Password Security:  Passwords often act as the only barrier between a cybercriminal and your customers’ sensitive authentication data (SAD). A weak password policy leaves your payment gateways, POS systems, and backend databases vulnerable. By strictly following the requirements ofPCI password, you avoid fines and trust. Customer trust is hard to gain and easy to lose: strong security is your best tool in retaining customer trust.

Breaking Down PCI DSS 4.0 Password Requirements

The new standard introduces specific, non-negotiable updates to password management. The following section details these requirements.

• Minimum Password Length (Critical):  In PCI DSS 4.0 the minimum length of password is increased from 7 characters to 12. This results in a significant increase to the entropy of passwords, which makes them exponentially more difficult to crack through brute-force attacks. If your legacy systems do not support 12 characters, you will need to document this fact and provide compensating controls. Ideally you will want to upgrade the system.
• Password Reuse Restrictions: Users are not allowed to reuse any of their last four passwords to avoid cycling of credentials. This rule will force users to make truly new credentials rather than switching between “Password123” and “Password124.” Thus unique passwords are the norm, not the exception.
• Password Change Frequency: Historically, the standard required 90-day password change. Under PCI DSS version 4.0, this is still the baseline. But the standard is now open to allowing flexibility if you put in place a Targeted Risk Analysis (TRA). If your security posture is robust enough (usually means strong MFA), then you can lengthen this rotation period. Without formal TRA, the 90-day rule is firm.
• Failed Login Attempt Limits: Accounts must lock out after not more than 10 failed login attempts in order to prevent automated attacks. Further, the lockout time must be for at least 30 minutes or until manually reset by an administrator. This delay interferes with automated scripts that are trying to guess credentials.
• Unique Initial Passwords: Vendor default passwords are a huge security loophole. PCI DSS 4.0 requires by strict requirements that you rename the password of any default accounts immediately after installation. First-time passwords for new users must be unique and require a password change right after the first-time use.
• Session Inactivity Timeout: User session should terminate after 15 minutes of inactivity to avoid unauthorized access to unattended workstations. This means the user will have to re-authenticate themselves before they can continue with their work. Such measures are taken to protect open terminals in retail or office environments.
• Vendor Default Passwords: You need to make sure that absolutely NO vendor default passwords are left in your environment. This is a rule for firewalls, routers, POS terminals, and third-party software. Attackers are in the habit of scanning for these known defaults to provide an easy entrance.
• Encryption Requirements: Passwords should never be stored or transmitted in clear text. You need to secure them with good cryptography. This includes using encryption when sending data (TLS 1.2 or 1.3) and robust hashing algorithms (bcrypt, Argon2 or PBKDF2) for storing it.

Multi-Factor Authentication (MFA) Requirements Under PCI DSS 4.0

The most significant upgrade in Requirement 8 involves the expansion of Multi-Factor Authentication (MFA).

• MFA for All CDE Access (Major Change): In the past, MFA was mostly required for remote access and administrative access. Now, ALL access to the Cardholder Data Environment (CDE) is MFA. This is true for administrators and general user alike if they access systems that store, process and transmit cardholder data.
• MFA for Remote Access (Expanded): MFA is still required for all remote access to the network, whether the user is accessing the CDE directly or not. This provides a “double-check” system in which remote users authenticate once to gain entry to the network and possibly again to gain entry to the CDE.
• What Qualifies as Multi-Factor Authentication

Authentication must involve at least two of the three authentication factors to qualify:

• Something you know: Password or passphrase.
• Something you have: Smart card, hardware security key (like YubiKey), or mobile device.
• Something you are: Biometrics (fingerprint, facial recognition).
• MFA, FIDO2, and Phishing-Resistant Authentication: The industry is headed towards Phishing Resistant MFA. Technologies such as FIDO2 and WebAuthn are based on cryptographic keys instead of shared secrets (such as OTPs). This leaves them impervious to normal phishing attacks. While not strictly mandatory but, QSAs highly recommend these “passwordless” approaches as a best practice.

Who Must Comply with PCI Password Requirements?

Compliance is mandatory for any entity involved in payment processing.

Merchant Categories by Transaction Volume

• Level 1 Merchants: Process over 6 million transactions annually. They require an onsite assessment by a QSA and a Report on Compliance (ROC).
• Level 2-4 Merchants: Process fewer transactions. They generally complete a Self-Assessment Questionnaire (SAQ A, C, or D) and an Attestation of Compliance (AOC). But the password requirements apply regardless of your level.

Service Providers

Payment gateways, managed service providers (MSPs), and data centers that host CDEs must also comply. In fact, service providers often face stricter scrutiny regarding logical access controls.

Who is NOT Exempt

• Small businesses: Hackers target small businesses specifically because they often lack robust security.
• E-commerce stores: Online retailers are prime targets for web-skimming and credential stuffing.
• Retailers with POS systems: Physical terminals must be secured against local tampering and network intrusions.
• Restaurants: High transaction volumes make them attractive targets.
• B2B businesses: If you process corporate cards, you are in scope.

Best Practices Beyond PCI Minimum Requirements

Meeting the standard is just the baseline. Consider these advanced strategies to genuinely secure your business.

• Management : Implement Passphrases Not Passwords

Security teams should be promoting long passphrases such as “Correct-Horse-Battery-Staple”, over complex short codes. These phrases provide better entropy against brute force attackers and are much easier for a human user to memorise and remember.

• Use the Enterprise Password Managers

Use tools such as 1Password or Keeper to create random 25-character-long passwords for all services. This eliminates memory-burden, so employees will never use weak passwords on several business applications or sites.

• Implement Privileged Access Management (PAM)

PAM solutions strictly control and audit administrative accounts (often known as the “keys to the kingdom”). These systems isolate critical access, to restrict access to sensitive infrastructure components to only authorized personnel.

• Put Threat Intelligence Monitoring in place

You will need to be actively monitoring dark web marketplaces to identify whether corporate credentials are in data dumps. Early detection is the way IT teams can force immediate password resets or before attackers take advantage of exposed logins.

• Create Password Blacklists

Configure systems to reject some of the most common options, such as “Password123!” or “Company2024”, even if they are able to follow the rules of complexity. This makes it impossible for people to choose technically valid but easy-to-guess credentials, which are the targets of attackers.

• Enable Continuous Risk-based Authentication

Implement systems to understand user behaviour, such as location, typing speed and device fingerprints. Real-time anomaly detection prevents suspicious access attempts right at the moment, even when the criminal providing the access has the correct login credentials.

• Go Beyond MFA: Passwordless Authentication

Removing passwords completely removes the main target of thieves. Adopting FIDO2 or biometric standards removes the need for any shared secrets and replaces them with cryptographic keys that makes it completely useless to pursue traditional phishing and credential harvesting attacks.

Additional PCI DSS 4.0 Requirements Affecting Password Security

• Inactive Account Management Security team needs to disable or remove any user accounts, which are not active more than 90 days. This critical step helps to get rid of “ghost accounts” which is where attackers can quietly exploit forgotten access points.
• Identity Verification Before Password Changes Help desk staff need to strictly check the user’s identity before handling any password changes. This strict validation protocol is an effective counter to the social engineering tactics whereby an attacker impersonates an employee to steal their credentials.
• Token and Smart Card Assignment Organizations are responsible for assigning physical authentication tokens and smart cards to individual users and certainly not sharing them among teams. This maintains accountability, and prevents unauthorized access in the event that a particular device is lost.
• Risk-Based Password Policies Companies can now tailor-specific password policy rules to things like how often you rotate them based on a targeted risk analysis. This flexibility enables security teams to adapt security controls according to actual security levels.
• Hard-Coded Password Prohibition It is very important that developers don’t embed passwords or credentials into application source code or scripts. Attackers find these hard-coded secrets very easy to find during code reviews, causing an immediate compromise of these systems.

Common Challenges and Solutions for PCI Password Compliance

Legacy Systems Don’t Support 12-Character Passwords

User Resistance to MFA

• Solution: Use “low-friction” MFA methods like push notifications or biometrics rather than tedious 6-digit codes.

Increased Help Desk Calls for Password Resets

• Solution: Implement self-service password reset tools that use strong identity verification, reducing the burden on IT staff.

Managing Multiple Password Policies

• Solution: Centralize identity management using Single Sign-On (SSO) (e.g., Okta, Azure AD) so you only enforce one strong policy across all apps.

Securing Third-Party/Vendor Access

• Solution: Enforce “Just-in-Time” access where vendors only get credentials for the specific window of time they are doing work.

Balancing Security with Usability

• Solution: Adopt the “zero trust” model. Trust no device or user by default but make the verification process invisible to the user whenever possible.

Final Thoughts

These controls are your first line of defense for credential-based attacks responsible for nearly half of all data breaches in the first place. Organizations with a strategic approach to their password security, who are implementing MFA comprehensively, adopting password managers, and planning for passwordless futures, put themselves in a position where their security is authentic instead of token.

Finally, keep some perspective on compliance vs. security. Strive for the spirit of PCI DSS – creating strong defenses against evolving threats – not just the letter of requirements. Your business deserves more than the bare minimum for compliance and your customers deserve actual protection. If you need any kind of help from our PCI Compliance consultants give us a call

Do PCI password requirements apply to cashier logins on POS terminals?

Yes. Any account that can access the CDE, including POS logins, falls under these requirements.

Can we use a password manager to help with PCI compliance?

Absolutely. Password managers are strongly recommended as they facilitate unique, complex passwords for every account.

If we implement MFA, do we still need to change passwords every 90 days?

Under PCI DSS 4.0, if you perform a Targeted Risk Analysis that validates the security of your MFA implementation, you may extend or eliminate the 90-day rotation requirement.

What’s the difference between PCI DSS 4.0 and 4.0.1?

Version 4.0.1 acts as a limited revision mostly for clarity and formatting corrections. It does not materially change the core password requirements established in 4.0.

Are passphrases acceptable under PCI DSS 4.0?

Yes, and experts encourage them. A long passphrase often exceeds the 12-character minimum and provides excellent entropy.

What does “strong cryptography” mean for password encryption?

It refers to using industry-tested algorithms like AES-256 for storage and TLS 1.2+ for transmission. Deprecated methods like MD5 or SHA-1 are not acceptable.

Can we use SMS-based two-factor authentication for PCI compliance?

Yes, SMS is currently allowed. But security professionals discourage it due to SIM-swapping attacks. App-based authenticators or hardware keys are superior.

Do we need to comply with PCI DSS if we use a payment processor and don’t store card data?

Yes. If you accept cards, you must comply. But using a third-party processor likely reduces your scope to a simpler SAQ (like SAQ A).

What’s the first step for a business that hasn’t started PCI DSS 4.0 compliance?

Conduct a “gap analysis.” Compare your current controls against the new v4.0 standard to identify exactly what is missing.

Are there industry-specific PCI DSS variations?

No, the standard is universal. But implementation details may vary between a retail store (POS focus) and a SaaS provider (database focus).