PCI-DSS v4.0 Raised the Password Bar. Here's What You Missed.
COMPLIANCEJanuary 10, 2025ยท8 min read

PCI-DSS v4.0 Raised the Password Bar. Here's What You Missed.

PCI-DSS v4.0 brought significant changes to password requirements. Minimum length increased, MFA became mandatory in more contexts. Here is the complete breakdown.

The key password changes in PCI-DSS v4.0

Minimum password length: increased from 7 to 12 characters (Requirement 8.3.6).

MFA: mandatory for all interactive user access to the cardholder data environment, not just remote access (Requirement 8.4.2).

Password history: at least 4 previous passwords must be remembered to prevent reuse.

Change frequency: maximum 90-day rotation (or continuous risk analysis as an alternative).

What this means for your compliance program

If your current password policy sets 8-character minimums, you are out of compliance with PCI-DSS v4.0. Update your policy to require 12 characters minimum, implement MFA for all cardholder data environment access, and document your password quality checks.

Key topics
PCI-DSS v4.0payment card securityMFApassword requirementscompliance
Was this post useful?
Frequently asked questions

Questions about this topic

What did PCI-DSS v4.0 change about passwords?

+

When did PCI-DSS v4.0 take effect?

+
More posts

Related reading

NIST Password Guidelines 2025: What Changed and What It Means for You

NIST Password Guidelines 2025: What Changed and What It Means for You

9 min read โ†’
Enterprise Password Policy Template: Copy-Paste and Customise

Enterprise Password Policy Template: Copy-Paste and Customise

11 min read โ†’
Password Security in Education: K-12 and Higher Ed Guide

Password Security in Education: K-12 and Higher Ed Guide

7 min read โ†’