PCI Requirement 8.2.4 – Change User Passwords/Passphrases at Least Once Every 90 Days

by Randy Bartels / December 21st, 2017

Password/Passphrase Expiration

PCI Requirement 8.2.4 expects your organization to change user passwords/passphrases at least once every 90 days. The PCI DSS explains, “Passwords/passphrases that are valid for a long time without a change provide malicious individuals with more time to work on breaking the password/phrase.” You may think that a shorter password/passphrase expiration date would be more secure, but best practice states that 90 days is an appropriate period of time. A smaller window, like 30 days, can reduce usability and cause users to choose weak passwords.

To verify compliance with PCI Requirement 8.2.4, assessors will examine a sample of system configuration settings to see that you change user passwords/passphrases at least once every 90 days. Service providers must undergo additional testing of their internal processes to see that non-consumer customer user passwords/passphrases are required to change periodically and these users are given guidance on when, and under what circumstances, passwords/passphrases must change.

If I’m Hacker Joe and I have your username and password and I’m using your account, that’s a bad thing, right? From a minimum perspective, the longest Hacker Joe should have access to any account would be 90 days. The reason for that is when we look at PCI Requirement 8.2.4, it requires that you change your password every 90 days. This really becomes a security consideration if you make it every 30 days, because people might start writing their password down just because it’s so cumbersome. They might use “Password1” and then change it to “Password2” and the next time it’s “Password3.” Every 90 days is one of those requirements that you may want to do more, but understand the implication of that and how it could play out in your environment.