PCI DSS 8.3.9: Change Non-Consumer Passwords Every 90 Days
PCI DSS control 8.3.9 requires organizations to reset non-consumer user passwords at least every 90 days to reduce the risk of unauthorized access and credential compromise. This foundational access control prevents long-term password exploitation while maintaining security across your cardholder data environment. Understanding and automating this requirement is critical for maintaining PCI compliance.
What this means
Non-consumer user accounts—including administrators, developers, and service accounts—must have their passwords changed at minimum once every 90 days. This control applies to all accounts that access systems containing or processing payment card data. The 90-day cycle ensures that compromised credentials have a defined expiration window, limiting the window of opportunity for attackers to exploit stolen passwords.
How to comply
- 1.Implement password management policies that mandate 90-day maximum password age across all non-consumer user accounts
- 2.Configure identity and access management systems to enforce automatic password expiration notifications at 30, 14, and 7 days before expiration
- 3.Document all password change procedures and ensure users understand the requirement and deadline
- 4.Verify that password change functionality is working correctly by testing the system's ability to force password resets
- 5.Maintain audit logs showing when each non-consumer password was last changed
- 6.Establish a process to handle accounts that miss the 90-day deadline with immediate password resets
Evidence auditors look for
- Identity and access management (IAM) system configuration showing 90-day password expiration policy enabled
- Password management system reports detailing last password change dates for all non-consumer accounts
- Email notification templates sent to users about upcoming password expiration
- Audit logs from the past 90 days showing successful password change events by non-consumer users
- Policy documentation defining password change requirements and the 90-day cycle
- Screenshots of system settings enforcing maximum password age restrictions
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically monitors password age across all non-consumer accounts, alerts you before the 90-day window closes, and generates audit-ready reports proving compliance without manual log collection.
See how GRCWatch handles this control automatically
Start free trial