Skip to main content

Back to Blog

PCI Password Requirements: Is It Enough?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements aimed at ensuring sensitive data is protected, privacy is maintained, and networking systems are robust enough to withstand cyber-attacks.

PCI standards aren’t specific to any one country or organization, but rather function as a global set of standards that everyone can adhere to. As with almost all digital systems both old and new, passwords form a key part of this equation – and remain a huge weak point for security.

Today we’re going to look at the current PCI password requirements and assess whether they are good enough, or whether more can be done to protect our systems and data.

What Are the PCI Password Requirements?

For a password to meet PCI compliance standards, it must possess the following attributes:

  1. The password must be a minimum of seven characters in length.
  2. It must contain both numbers and letters.
  3. Users are required to change their passwords every 90 days.
  4. The new password must be different from the previous four passwords.
  5. When passwords are generated for the user, for example, because the user is new or the user requires a password reset, the password must be unique to each user and be changed after the first use.
  6. When a user is locked out of their account, the lock will remain active for 30 minutes, or until a system administrator can perform a reset.
  7. Vendor supplied defaults will not be allowed.
  8. Passwords must be encrypted during transmission and storage.

Are PCI Password Requirements Enough to Protect Against Cyber Attacks?

Implementing PCI password standards will safeguard systems against some cyberattacks, but there’s still room for improvement. High profile data breaches are still happening at an alarming rate as cybercriminals and cyber-attack networks continue to advance their skills and develop more sophisticated tools.

While these standards may have been appropriate in the past, they are less effective today. Data breaches are an ever-present threat to individuals, organizations, and government entities.

2019 saw financial corporation Capital One compromised resulting in over 100 million customer records being stolen. A 2019 report also found that cyberattacks are 300 times more likely to hit financial firms than other firms. These events serve as a reminder of how important it is to protect our data.

It appears that PCI standards need an update to bring them in line with current cybersecurity best practices.

Let’s take a look at why – focusing closely on the first 3 points in the PCI Password Policy.

  1. The password must be a minimum of seven characters in length.

    A minimum of seven characters is too little. While many organizations are still operating with an eight-character minimum, today the recommendation is for a 12 to 15 character minimum. If we’re abandoning eight-character passwords, then we should also abandon seven-character passwords.
  2. It must contain both numbers and letters.

    There’s much more to creating a strong password than requiring complexity (a mixture of letters, numbers and special characters). Complexity requirements often result in less complex passwords. This becomes evident when looking at the analysis done on 5,000 PCI compliant passwords. The majority of these passwords contained dictionary words, spatial keyword patterns, or passwords similar to usernames.
  3. Users are required to change their passwords every 90 days.

    Password expiration policies have been a common feature of cybersecurity standards for a long time. However, today some of the world’s leading cybersecurity bodies are recommending against them. NIST notably removed the requirement for password expiration. There are several reasons why organizations are moving away from forced password expirations. Users tend to alter their password as little as possible to ensure they don’t forget it meaning it isn’t meaningfully different. Password expiration policies also cost businesses huge amounts of money in support tickets and labor when many users forget their password. The logic behind them is also outdated. Weak passwords can now be cracked in a matter of seconds and the hacker won’t wait 90 days to use the password.

Additional Recommendations

  • Use Exposed Password Screening Tools

    As we’ve discussed above, forced password expirations lead to weak passwords because users often only change a few characters in their password but not the password as a whole. Instead of forcing users to change their passwords every 30, 60, or 90s, there’s a much simpler solution. Don’t require the users to change their password at all UNLESS you find they are using leaked passwords. You can now continually monitor user passwords to check if their passwords have been exposed in a data breach or to check whether they are using common passwords. Exposed password screening can increase security without increasing user friction.
  • Recommend Longer Passwords Over Complexity

    Many prominent cybersecurity bodies are recommending against password complexity. When password complexity is enforced users tend to default to the behaviors like capitalizing the first character in the password or adding a 1 to the end of the password. Hackers know this and create algorithms to easily crack these passwords. If a password is too complex, the user may also write it down or store it in an unsafe location. Additionally, research has shown that longer passwords with no complexity are actually stronger than shorter passwords with complexity. Longer passwords with complexity would be even stronger.

    Many companies are now asking users to create passphrases that are easy to remember like “the best meal is pizza because it is tasty and filling for me and everyone”. In terms of what password length should be enforced, 12 to 15 characters should be the minimum and there should be no maximum. If you have to implement a maximum, it should be significantly higher than the minimum.
  • Blacklist Common Passwords
    The easiest way to avoid users choosing weak or common passwords is to create a password blacklist. This blacklist should include the most common passwords such as: 12345678, qwerty, Password1, abc123 and letmein.

    However, a good blacklist will have password exposed in recent data breaches. It’s also a good idea to blacklist common dictionary words, context-specific passwords such as names of popular local sports teams, common first and last names, names of places, and so on.

With Enzoic, organizations can meet a lot of these PCI password requirements in one automated tool. To learn more, visit


Read more about PCI: What’s behind PCI’s New MFA Requirements?