💳 PCI-DSS v4.0 Password Requirements: What Changed and How to Comply
PCI-DSS v4.0 Password Requirements: What Changed and How to Comply
The Payment Card Industry Data Security Standard (PCI-DSS) v4.0, released in March 2024 and mandatory from March 2025, introduced significant changes to password and authentication requirements. This guide covers exactly what changed, what's still the same, and practical steps to achieve compliance.
What Stayed the Same
Before diving into the changes, here's what PCI-DSS v4.0 carries forward from v3.2.1 without modification: - Passwords must be at least 7 characters in length - Passwords must contain both numeric and alphabetic characters - Users must change default vendor passwords before deploying systems - Group, shared, or generic passwords must be disabled or documented - Vendor-supplied defaults must be changed (passwords, SNMP community strings, etc.)
What Changed in PCI-DSS v4.0
1. Multi-Factor Authentication Expansion (Requirement 8.4)
PCI-DSS v4.0 significantly expands MFA requirements. Previously, MFA was only required for remote access to the cardholder data environment (CDE) and non-console administrative access. Now:
- MFA is required for ALL access to the CDE (requirement 8.4.2)
- This includes employees, contractors, and third parties
- MFA must use at least two of three factors: something you know (password), something you have (token/phone), something you are (biometric)
2. Passphrase Support (Requirement 8.3.6)
V4.0 explicitly allows passphrases (sequences of words) as an alternative to traditional complex passwords. This is a huge usability improvement: - Passphrases can be up to 64 characters or longer - Passphrases don't need the same complexity requirements (mixed case, numbers, special chars) - Length is prioritized over complexity — making them both more secure and easier to remember
3. Risk-Based Authentication (Requirement 8.3.10 — New)
New requirement that doesn't mandate specific technical controls but expects organisations to: - Analyse authentication logs for anomalies - Implement adaptive authentication based on risk level - Review and respond to failed authentication attempts
4. Password Rotation Relaxed (Requirement 8.3.9)
Previously required password changes every 90 days. V4.0 removes mandatory periodic rotation for user passwords: - Only change passwords if there's evidence of compromise or if the user forgets their password - This aligns with NIST SP 800-63B guidance that periodic password changes reduce security (users choose weaker passwords more frequently)
Practical Compliance Steps
| Step | Action | Timeline |
|---|---|---|
| 1 | Enable MFA for all CDE access | Immediate |
| 2 | Update password policy to support passphrases (min 12 chars) | Within 30 days |
| 3 | Remove mandatory 90-day password rotation | Within 30 days |
| 4 | Deploy adaptive authentication monitoring | Within 90 days |
| 5 | Review and update security awareness training for new requirements | Within 60 days |
Common Compliance Pitfalls
- Shared service accounts: Don't forget to secure MFA or strong password policies for shared accounts used by applications
- Legacy systems: Older payment terminals may not support passphrases — document compensating controls
- Third-party vendors: Ensure vendors accessing your CDE also comply with v4.0 requirements
Bottom line: PCI-DSS v4.0 represents a shift toward risk-based, MFA-first security rather than rigid password rotation. Use passphrases, enable MFA everywhere, and monitor for anomalies.