PCI DSS 8.3.10.1: Issue Customer Password Change Guidance Every 90 Days
As a PCI DSS service provider, you must proactively guide your customers to change passwords at least every 90 days. This control reduces the risk of compromised credentials and demonstrates your commitment to customer security. GRCWatch helps you automate these recurring guidance deliveries without manual tracking.
What this means
PCI DSS 8.3.10.1 is an additional requirement for service providers that mandates sending password change guidance to customers on a recurring basis—at minimum, once every 90 days. This guidance should educate customers on creating strong passwords, recognizing phishing attempts, and maintaining account security. The requirement ensures customers understand their role in protecting cardholder data.
How to comply
- 1.Create standardized password guidance documentation that covers best practices for password complexity, length, and unique character requirements.
- 2.Establish a 90-day calendar schedule for delivering guidance to all customers; consider automating this with email or portal notifications.
- 3.Document the date and method each guidance communication was sent to maintain audit evidence.
- 4.Include specific recommendations on password managers, multi-factor authentication, and account security hygiene.
- 5.Track customer acknowledgment or engagement with guidance materials where possible.
- 6.Review and update guidance annually to reflect emerging threats and industry best practices.
Evidence auditors look for
- Email logs showing password guidance sent to all customers within the 90-day window
- Documentation of guidance content templates and distribution lists
- Calendar or ticketing system records demonstrating scheduled compliance intervals
- Customer portal notifications or in-app messages with password change reminders
- Audit logs showing delivery timestamps and customer contact information
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates 90-day password guidance scheduling and delivery tracking, eliminating manual reminders and generating audit-ready evidence logs for your assessments.
See how GRCWatch handles this control automatically
Start free trial