What are the PCI-DSS v4.0 password length requirements?

PCI-DSS v4.0 Requirement 8.3.6 mandates a minimum password length of 12 characters for systems protecting cardholder data, increased from 7 characters in v3.2.1. For systems not using MFA, the minimum is 15 characters. All passwords must use both numeric and alphabetic characters. Randomly generated passwords meeting these requirements offer significantly stronger protection than the minimums suggest — 20+ character generated passwords are recommended for all staff accessing cardholder data environments.

What did PCI-DSS v4.0 change about password rotation?

PCI-DSS v4.0 aligned with NIST SP 800-63B guidance: mandatory periodic password rotation (the old 90-day rule) was replaced with rotation based on indicators of compromise. Passwords must be changed when compromise is known or suspected, when an account is shared, and for service accounts when staff with access leave. Calendar-based rotation without evidence of compromise is no longer required.

Does PCI-DSS v4.0 require multi-factor authentication?

Yes. PCI-DSS v4.0 Requirement 8.4 mandates MFA for all access into the cardholder data environment (CDE) and for all remote access to the network. Requirement 8.6 extends this to all non-consumer user accounts with access to systems in the CDE. SMS-based OTP is technically compliant but not recommended — FIDO2/WebAuthn hardware keys or authenticator apps are strongly preferred.

What is a cardholder data environment (CDE) and who does PCI-DSS apply to?

The CDE is the network segment containing or transmitting payment card data including card numbers (PAN), cardholder names, expiration dates, and service codes. PCI-DSS applies to any organisation that processes, stores, or transmits cardholder data — merchants, payment processors, acquirers, issuers, and service providers. Scope reduction (tokenisation, point-to-point encryption) is the most effective way to reduce compliance burden.

How do the PCI-DSS v4.0 requirements interact with NIST SP 800-63B?

PCI-DSS v4.0 was written with NIST SP 800-63B 2025 alignment in mind. Both prohibit mandatory calendar-based rotation, both require checking credentials against breach corpora at creation, and both recommend MFA. The key difference is minimum length: NIST requires 15 characters while PCI-DSS requires 12 (or 15 without MFA). Implementing to the higher NIST standard satisfies both frameworks simultaneously.

PCI-DSS v4.0 Password Requirements for Financial Accounts

PCI-DSS v4.0, effective March 2024 with a full compliance deadline of March 2025, introduced the most significant changes to password and authentication requirements in the standard's history. For anyone managing access to financial systems, payment platforms, or cardholder data environments, understanding these changes is essential.

PCI-DSS v4.0 Password Requirements for Financial Accounts

Financial accounts handling cardholder data must comply with PCI-DSS v4.0, the latest standard governing payment security. As of the March 2025 enforcement deadline, the framework tightened authentication controls significantly. Titan Passwords helps financial institutions align their credential policies with these mandatory requirements, reducing the risk of breaches and costly non-compliance penalties.

Minimum Password Standards Under v4.0

PCI-DSS v4.0 raised the baseline for password strength. Passwords protecting accounts with access to cardholder data environments must now meet stricter length and complexity thresholds than previous versions required.

Minimum length of 12 characters, increased from the 7-character requirement in v3.2.1.
Passwords must contain both numeric and alphabetic characters to satisfy complexity rules.
Where a system cannot support 12 characters, a minimum of 8 characters is permitted only as a documented exception.
Passwords must be changed at least once every 90 days, unless dynamic risk-based analysis is implemented.

Multi-Factor Authentication Requirements

One of the most significant changes in v4.0 is the expanded mandate for multi-factor authentication (MFA). MFA is no longer limited to remote administrative access; it now applies to all access into the cardholder data environment.

MFA is required for all personnel with access to systems processing payment data.
Authentication factors must be independent, so compromising one does not grant access to another.
MFA systems must resist replay attacks and cannot be bypassed by any user, including administrators.

Protecting Stored and Transmitted Credentials

Beyond user-facing rules, v4.0 strengthens how credentials are stored and handled internally. Passwords must be rendered unreadable during both storage and transmission across all systems.

Use strong, one-way hashing with salting for all stored authentication credentials.
Encrypt passwords in transit using strong cryptography and secure protocols.
Vendor-supplied default passwords must be changed before any system is deployed.
Group, shared, and generic accounts are prohibited unless strictly justified and managed.

How Titan Passwords Supports Compliance

Titan Passwords provides a centralized vault built specifically for the demands of financial environments. It enforces length and complexity policies automatically, integrates MFA, rotates credentials on schedule, and maintains audit-ready logs. By automating these controls, financial teams can demonstrate continuous PCI-DSS v4.0 compliance while freeing staff from manual password management burdens and minimizing human error across the organization.

What Changed in v4.0

The headline changes in Requirement 8 (Identify Users and Authenticate Access):

Minimum length increased: 12 characters (up from 7 in v3.2.1) for accounts with MFA; 15 characters without MFA
Complexity maintained: Must include both numeric and alphabetic characters
Mandatory rotation retired: The 90-day mandatory rotation requirement replaced with compromise-triggered rotation
MFA expanded: Required for all CDE access, not just remote access
Breach corpus checking: New explicit requirement to check credentials against known compromised password databases at creation

Requirement 8.3.6 in Detail

If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they must meet the following minimum requirements: (a) minimum length of at least 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters); and (b) contain both numeric and alphabetic characters.

For non-MFA systems: Requirement 8.3.6 alternative specifies 15 characters minimum when MFA is not implemented. This should be treated as a floor, not a target. Use the Bank-Tier Compliance Generator to produce 20–32 character credentials that exceed all v4.0 requirements.

The End of Mandatory 90-Day Rotation

The old Requirement 8.3.9 mandated changing user passwords/passphrases at least every 90 days. This was removed in v4.0 following NIST's 2017 guidance that calendar-based rotation does not improve security and often worsens it by leading users to predictable incremental changes (Password1 → Password2).

Under v4.0, passwords must be changed when: (a) compromise is known or suspected, (b) an account is no longer needed and is being disabled, (c) an employee with access to a shared account departs. For individual accounts with strong passwords and MFA, rotation is not required on any fixed schedule.

Breach Corpus Checking (New in v4.0)

A new explicit requirement — aligned with NIST SP 800-63B — mandates that credentials be checked against known compromised password databases at the time of creation or change. The approved implementation method is the HaveIBeenPwned k-anonymity API: hash the candidate credential, send the first 5 characters of the hash to the HIBP API, check whether the full hash appears in the response. The actual credential is never transmitted.

Compliance Table

Requirement	v3.2.1	v4.0	NIST SP 800-63B 2025
Minimum length (with MFA)	7 chars	12 chars	15 chars
Minimum length (without MFA)	7 chars	15 chars	15 chars
Complexity requirement	Numeric + alpha	Numeric + alpha	None mandatory
Mandatory rotation	90 days	Compromise-triggered	Compromise-triggered
MFA for CDE access	Remote only	All access	AAL2+ recommended
Breach corpus check	Not required	Required	SHALL (required)

PCI-DSS compliance financial security authentication cardholder data

For informational purposes only. This does not constitute financial or legal advice. Consult qualified compliance and legal professionals for regulated financial environments.

How to Secure Your Investment and Brokerage Ac →