GRCWatch
Sign inStart free trial

PCI DSS 8.3.6: Enforce Minimum Password Length Requirements

Password length is your first line of defense against brute-force attacks. PCI DSS 8.3.6 requires organizations to enforce minimum password length standards to protect cardholder data. This control is foundational to any credible authentication strategy.

What this means

PCI DSS v4.0 requires that all passwords and passphrases meet defined minimum length requirements. This control strengthens authentication security by ensuring passwords have sufficient complexity and resistance to cracking attempts. The specific minimum length thresholds are determined by your organization's security policies and should align with industry best practices.

How to comply

  1. 1.Define and document minimum password length requirements in your password policy (typically 12+ characters for strong security)
  2. 2.Configure all systems, applications, and user directories to enforce the minimum length at account creation and password changes
  3. 3.Implement technical controls in identity and access management (IAM) systems to reject passwords below the minimum threshold
  4. 4.Communicate password requirements to all users and provide guidance on creating strong passphrases
  5. 5.Regularly audit user accounts to identify non-compliant passwords and enforce updates
  6. 6.Test enforcement mechanisms across all systems handling cardholder data

Evidence auditors look for

  • Password policy documentation specifying minimum length requirements
  • System configuration screenshots showing enforced minimum length settings
  • IAM system logs demonstrating rejection of passwords below minimum length
  • User communication records explaining password requirements
  • Audit reports showing percentage of compliant passwords across systems
  • Test results validating enforcement across all covered systems

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically monitors password policies across your systems, alerts you to enforcement gaps, and generates audit evidence for PCI DSS 8.3.6 without manual configuration.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 8.3.3 - Password Complexity RequirementsPCI DSS 8.3.4 - Password Change FrequencyPCI DSS 8.2.3 - Multi-Factor AuthenticationPCI DSS 8.3.1 - Password Change Process