8.3.6—If passwords/passphrases are used as authentication factors to meet Requirement 8.
>Requirement Description
If passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they meet the following minimum level of complexity: A minimum length of 12 characters (or IF the system does not support 12 characters, a minimum length of eight characters). Contain both numeric and alphabetic characters. Applicability Notes This requirement is not intended to apply to: User accounts on point-of-sale terminals that have access to only one card number at a time to facilitate a single transaction. Application or system accounts, which are governed by requirements in section 8.6. This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment. Until 31 March 2025, passwords must be a minimum length of seven characters in accordance with PCI DSS v3.2.1 Requirement 8.2.3.
>Cross-Framework Mappings
NIST CSF 2.0
via NIST OLIR CatalogAsk AI
Configure your API key to use AI features.