COMPLIANCEApril 30, 2025·8 min read

Password Security for eCommerce Businesses: PCI-DSS Without the Headaches

If you take card payments you need PCI-DSS compliance. Here is the minimum-viable compliance path for small eCommerce operations.

Why eCommerce has higher stakes

If your business processes card payments, you operate in PCI-DSS scope. This means your password controls aren't just good practice — they're contractual requirements under your merchant agreement and subject to QSA assessment. A PCI-DSS non-compliance finding around password controls can result in fines, increased transaction fees, or loss of the ability to accept card payments.

What PCI-DSS v4.0 requires for passwords

Requirement 8.3.6: Passwords must be at least 12 characters (up from 8 in v3.2.1). Requirement 8.3.7: Passwords must contain both numeric and alphabetic characters. Requirement 8.3.9: If passwords are the only authentication factor, they must be changed at least every 90 days or following a risk-based analysis — unless combined with additional factors. Requirement 8.6.1: All administrative access to cardholder data environment (CDE) systems must use 2FA.

Practical setup for Shopify, WooCommerce, and payment systems

For Shopify merchants: your Shopify admin account credentials are in PCI scope. Use a 16-character password generated by PassGeni's PCI-DSS preset, enable Shopify's built-in 2FA, and review your staff account permissions quarterly — all staff with admin access should have their own accounts, not share a single login.

For WooCommerce/WordPress merchants: your WordPress admin account, hosting control panel, and payment gateway credentials are all in scope. Generate credentials for each with PassGeni's PCI-DSS preset. Disable XML-RPC to prevent credential brute-forcing. Use a firewall plugin that rate-limits login attempts.

For payment gateway accounts (Stripe, PayPal, Square): these have direct financial impact and should have the strongest credentials you use anywhere. 20+ characters, unique, stored in your password manager, with hardware 2FA where available.

The shortcut that actually works

PassGeni's Policy Generator produces a PCI-DSS v4.0 aligned password policy document that you can hand to your QSA. It's not a substitution for implementation — you still need to actually use compliant passwords — but it satisfies the documented policy requirement that PCI-DSS requires you to have in writing.

Key topics
ecommerce PCI-DSSSAQ-Acard payment securityShopify securitypayment compliance
Was this post useful?
Frequently asked questions

Questions about this topic

Does my Shopify store need PCI-DSS compliance?

+

What is SAQ-A and do I qualify?

+

What are the most common PCI-DSS failures for small ecommerce?

+
More posts

Related reading

NIST Password Guidelines 2025: What Changed and What It Means for You

9 min read →

PCI-DSS v4.0 Raised the Password Bar. Here's What You Missed.

8 min read →

Enterprise Password Policy Template: Copy-Paste and Customise

11 min read →