Password Requirements for PCI Compliance

Created by Connie Ingram
Last updated: May 27, 2019

PCI compliance password requirements are:

  1. Require a minimum length of at least seven characters.
  2. Contain both numeric and alphabetic characters.
  3. Users to change passwords at least every 90 days.
  4. Password parameters are set to require that new passwords cannot be the same as the four previously used passwords.
  5. First-time passwords for new users, and reset passwords for existing users, are set to a unique value for each user and changed after first use.
  6. User accounts are temporarily locked-out after not more than six invalid access attempts.
  7. Once a user account is locked out, it remains locked for a minimum of 30 minutes or until a system administrator resets the account.
  8. System/session idle time out features have been set to 15 minutes or less.
  9. Passwords are protected with strong cryptography during transmission and storage.


Requirements 1 & 2

Administration | Security | Password Validations

Requirements 3 & 4 

Administration | Application | Application Settings

Requirement 5

Administration | Security | Reset Password

When setting or resetting passwords, do not repeat "starter" passwords. 

A simple solution is to use the word Reset, plus add a random three digit number. Examples: 

Reset123

Reset548

Reset736

Administrator should tell the user their new password, and confirm user logs in and changes password to one known only to the user.

Requirements 6 & 7

Administration | Application | Application Settings

  • Set MaxConsecutiveFailedLoginAttempts to 6
  • Set MaxConsecutiveFailedLoginAttemptsTimespanHours to 1 or more

To unlock a user, first go to the Reports tab and run the Security Audit report to review the user login attempts and confirm the user's IP address, then:

Administration | Security | Unlock User