PCI DSS 8.3.10: Provide Service Provider Password Guidance
Service providers must equip customers with clear, actionable password guidance to protect cardholder data access. This control ensures your customers understand security expectations and can implement strong authentication practices. Failing to provide guidance creates compliance gaps and increases breach risk across your customer base.
What this means
PCI DSS 8.3.10 requires service providers to provide documented password guidance to customers who access cardholder data (CHD) through your platform or systems. This guidance must address password creation, complexity, rotation, and management best practices—enabling customers to meet their own PCI DSS obligations while using your services.
How to comply
- 1.Document comprehensive password guidance tailored to customer access scenarios
- 2.Include minimum requirements: length, complexity, expiration, and reuse restrictions
- 3.Specify guidance for both user passwords and service account credentials
- 4.Make guidance easily accessible during customer onboarding and in support resources
- 5.Update guidance annually or when industry best practices evolve
- 6.Communicate guidance changes to existing customers proactively
- 7.Track evidence that guidance was provided to each customer
Evidence auditors look for
- Published password policy documentation provided to customers
- Customer onboarding materials referencing password requirements
- Support documentation or knowledge base articles on password best practices
- Customer acknowledgment records confirming receipt of guidance
- Email communications distributing or updating password guidance
- Service agreements that reference password security requirements
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates password guidance delivery by generating PCI DSS-compliant policy templates, tracking customer acknowledgments, and flagging when guidance needs refresh—eliminating manual compliance tracking.
See how GRCWatch handles this control automatically
Start free trial