What Are the Password Requirements for PCI DSS in 2025?
PCI DSS 4.0 has several requirements around password security for credit card merchants and service providers. Here’s how long they need to be, how often they need to be changed, and when MFA is mandatory.
Conventional wisdom says you should have high standards for how you conduct business, be it in customer interactions, how you make your product or deliver services, or how you store data or personal information. Not only does this build customer trust and loyalty, but it also ensures everyone is well protected against negative consequences, like financial or legal issues or a security breach.
The Payment Card Industry Data Security Standard (PCI DSS) embodies this exact mission by setting the rules for how credit card brands and issuers approach cybersecurity and secure and protect cardholder data—the person’s name, account number, card expiration date, or sensitive information such as a PIN.
PCI DSS 4.0 is the latest version of the security standard for the payment card industry. With this recent update, the requirements better reflect the current tech landscape and provide stakeholders with more flexibility and security as cyberattacks become more sophisticated. The new PCI DSS includes guidelines specifically around passwords and password management—how they’re written and updated, and how companies verify them.
Below, we outline all the password requirements in PCI DSS 4.0 and how that could impact your organization, whether it’s a major retailer or a burgeoning startup.
What is PCI DSS 4.0?
PCI DSS requirements are set by the PCI Security Standards Council (SSC), a global forum founded by five major credit card brands: American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.
As technology evolves, so do the standards the PCI SSC outlines for vendors. In 2022, the PCI SSC released version 4.0 of the PCI DSS, the first update to the security standards since June 2018. However, v4.0 didn’t go into effect until April 2024 (and some requirements were still considered best practices until they became mandatory on March 31, 2025).
Any merchant that accepts credit cards and any service provider that impacts the security of cardholder data must comply with PCI DSS—but the requirements for doing so vary depending on the type of business or number of transactions.
For example:
Compliance level one is businesses that process more than 6 million card transactions per year
Level two is those that process between 1 million and 6 million card transactions per year
Level three is those that process between 20,000 and 1 million card transactions per year
Level four is businesses that process fewer than 20,000 card transactions per year. A level one organization may need to conduct more audits than a level four.
To prove you meet these standards, you can either conduct a PCI DSS audit by a Qualified Security Assessor or complete a PCI DSS self-assessment questionnaire (SAQ). (You may also institute PCI DSS Penetration Testing to uncover vulnerabilities in your cardholder data environment). Whether the SAQ or pen test is required depends on your level under PCI DSS.
The entire process could take several weeks or several months if a third-party auditor is involved, and should be conducted annually to ensure you maintain compliance and meet any new standards that may arise. Without compliance, businesses might not be able to process transactions from major credit card brands and could face fines or legal actions.
The Password Requirements Under PCI DSS 4.0
PCI DSS 4.0 requirements include several updates that address password length, complexity, change frequency, and repeat use, as well as multi-factor authentication (MFA).
The reason for this change is fairly simple: The stronger and more elaborate a person’s login is, the harder it is for even the best hackers to get into their accounts. When payment providers prioritize password security, they help their customers keep private information safe and protect themselves from liability.
More password regulation has its downsides, though: Credit card merchants and service providers might have more difficulty instituting these new standards and find their user experiences or internal systems are harder to maintain and navigate.
Here’s a breakdown of each of the new password requirements in PCI DSS 4.0, its impact on users and organizations, and how you can enforce them.
Password Length and Complexity
The new version of PCI DSS increases the minimum length for passwords from seven characters to 12 characters. If your system doesn’t support 12 characters, passwords must be eight characters long at minimum.
The 8- or 12-character minimum must also include a mix of uppercase and lowercase letters, numbers, and special characters (think: punctuation marks or symbols).
The Impact
Longer and more complex passwords may be safer, but they can also be more challenging for users to uphold. This update could increase customer service requests from those who get locked out. Users may also resort to changing their passwords only slightly over time to better remember them, making it easier for hackers to identify them.
Password Change Frequency and Reusability
If only a password is used to log into an account (versus a password plus a token or fingerprint, like with multi-factor authentication), the cardholder must be prompted to change their password every 90 days under PCI DSS 4.0. This requirement may be bypassed by organizations employing either the Zero Trust security framework or continuous, risk-based authentication that dynamically evaluates risk in real time based on behavioral factors.
The Impact
As with password length and complexity, requiring users to change their passwords regularly could make it harder for them to recall them—raising the need for tech assistance—or force individuals to set passwords that aren’t differentiated enough to be considered strong. With the addition of Zero Trust as an alternative approach, however, businesses can streamline and improve the user experience overall.
Password Repeat Use
PCI DSS 4.0 mandates that providers block the use of the last four passwords an account holder has implemented. This ensures passwords remain strong over time and encourages users to mix up what they write to keep hackers from easily identifying words or phrases or leveraging a common password to access one or more accounts.
The Impact
While this aims to prevent bad actors from using common passwords across accounts, it also adds friction to the user experience.
Account Lock After Failed Attempts
If a user has had 10 unsuccessful login attempts, PCI DSS 4.0 requires that they be locked out for at least 30 minutes or until they verify their user identity through a help desk or other means, such as a security question.
The Impact
Combined with the added complexity requirements of passwords, account lockouts can make it harder for users to conduct everyday tasks and potentially bog down help desks with more security requests.
Inactivity Protocols
Under PCI DSS 4.0, accounts that have been inactive for more than 90 days must be disabled or deactivated. If an application session remains inactive for more than 15 minutes, a re-authentication process must be conducted.
The Impact
This ensures unauthorized individuals can’t access or exploit a user’s information if they step away or leave an account unattended. That said, users who don’t regularly sign in could lose important accounts and have to go through a tedious process for reinstating user access.
MFA Requirements
Multi-factor authentication (MFA) is now required for all access to the cardholder data environment (CDE), or system components, people, and processes that store, process, or transmit cardholder data and/or sensitive authentication data (for context, PCI DSS 3.2.1 only mandated MFA for administrative access). MFA is also required for all remote access, like when using a VPN. In short, any cardholder or credit card provider, regardless of role, must use MFA.
A provider’s MFA system must not be susceptible to replay (aka man-in-the-middle) attacks and must not be able to be bypassed unless a specific exception is documented and authorized by management.
In addition, it must use two different and independent factors for authentication. These could be:
Something you know, such as a password or passphrase, PIN, or answer to a secret question.
Something you have, such as a token device, key, or smartcard.
Something you are, such as a retina, fingerprint, or facial scan.
Lastly, access can’t be granted until all authentication factors are successful.
FIDO (Fast IDentity Online) authentication is the preferred method for MFA, but it’s not mandatory under PCI DSS 4.0. FIDO standards recommend passkeys—a form of digital authentication leveraging a device’s built-in tools like Face ID or a PIN—to add complexity to the login process and prevent phishing attempts without making the process a burden on users.
The Impact
Setting up MFA is a complicated process for many businesses—it could become a significant hurdle to achieving compliance if you don’t have the right budget or resources. It also makes logging in a longer process for users who already use MFA to access a network. Users who have never used MFA before might also struggle to apply it to their workflows, especially if they forget to keep a second device or token handy or can’t remember their answers to security questions.
Cryptographic Protocols
Under PCI DSS 4.0, any stored sensitive authentication data, such as a card’s PIN or data from the magnetic strip or chip, must be encrypted using strong cryptography (modern and industry-approved algorithms, for example). This is an extension of earlier versions of PCI DSS that required the use of strong cryptographic protocols to protect transactions and payment card data.
The Impact
Like MFA, this could be a challenge for many small businesses to meet and thus achieve compliance, as it requires money, time, and niche expertise and talent to implement and maintain successfully.
Automate and Simplify PCI DSS Compliance With Drata
PCI DSS got your head spinning? You don’t have to tackle its nuances alone: Drata’s all-in-one solution enables you to manage PCI controls through a single dashboard, eliminating uncertainty and making it simple to track progress around cybersecurity. With access to compliance experts, real-time security reports, and a robust PCI playbook, you can stay informed, in control, and ready to implement requirements in no time—not to mention automated tasks so your team can focus on bigger priorities.
Book a demo of Drata’s compliance automation solution today and learn how easy it can be to maintain and scale your PCI DSS compliance.
PCI Password Requirements Frequently Asked Questions (FAQs)
You probably still have plenty of questions as to why PCI DSS exists and how your business can best meet its standards and maintain proper password management. Below, we break it all down so you can get started confidently:
What is PCI DSS 4.0, and Why Was It Introduced?
PCI DSS 4.0 is the latest version of the Payment Card Industry Data Security Standard, a set of requirements for protecting cardholder data. It was introduced in 2022 and went into effect in April 2024.
This new version takes into account the sophistication of cyberattacks and data breaches. It also allows vendors to meet its standards while providing an optimal user experience.
What is the Minimum Password Length Under PCI DSS?
Under the latest version of PCI DSS (4.0), the minimum password length is 12 characters. Systems that can’t support 12 characters must set a minimum password length of eight characters. The previous version of PCI DSS had a minimum password length of seven characters.
How Often Do Passwords Need to be Changed for PCI DSS?
Under the latest version of PCI DSS, passwords need to be changed at least every 90 days if a system doesn’t automatically dynamically analyze accounts' security posture.
Does PCI Require MFA or Just Strong Passwords?
The latest version of PCI DSS requires multi-factor authentication for everyone, regardless of role, including remote access. MFA must use at least two different and independent factors for authentication. This can be something you know (a password or PIN), something you have (a token or smartcard), and/or something you are (facial recognition or fingerprint).
