How often must passwords be changed to comply with PCI requirements?

The requirement that passwords need to be changed every 90 days is aligned with the Payment Card Industry Data Security Standard (PCI DSS). This standard aims to enhance the security of payment account data to ensure that sensitive information is appropriately safeguarded against unauthorized access and potential breaches.

Requiring a password change every 90 days helps to minimize the risk of unauthorized access, as it forces users to create new passwords periodically, thereby limiting the amount of time any compromised password could be exploited. Consistent password updates engage users in better security practices and promote a culture of vigilance regarding data protection.

Other choices suggest more frequent changes, such as 30 or 60 days, which are not necessary according to PCI's updated guidelines. While it may seem logical to require more frequent updates to bolster security, PCI requirements have evolved, and now, a 90-day period is deemed sufficient when combined with other security measures such as complex password criteria and account lockout policies.