PCI DSS 8.3.5: Enforce Password Complexity Requirements
Password complexity is a foundational layer of cardholder data protection under PCI DSS 8.3.5. This control requires passwords and passphrases to meet defined minimum complexity standards, preventing weak credentials from becoming a breach vector. For payment processing organizations, implementing robust complexity rules is non-negotiable for audit readiness.
What this means
PCI DSS 8.3.5 mandates that all passwords and passphrases used to access systems containing cardholder data must meet minimum complexity requirements. This means enforcing rules for password length, character variety (uppercase, lowercase, numbers, special characters), and preventing easily guessable patterns. The goal is to significantly increase the difficulty of unauthorized access through credential compromise.
How to comply
- 1.Define minimum password length of at least 8 characters (industry best practice suggests 12+)
- 2.Require a mix of character types: uppercase letters, lowercase letters, numbers, and special characters
- 3.Prevent common patterns and dictionary words in passwords
- 4.Disable password reuse for a defined number of previous passwords
- 5.Implement technical controls in authentication systems to enforce complexity at password creation
- 6.Document password complexity policies in your information security policy
- 7.Communicate requirements to all users with system access
- 8.Audit existing user accounts to identify non-compliant passwords and enforce reset cycles
Evidence auditors look for
- Password policy documentation specifying minimum complexity requirements
- System configuration screenshots showing complexity enforcement enabled
- Active Directory or IAM system settings with complexity rules configured
- User onboarding training materials covering password requirements
- Audit logs showing password change events and policy enforcement
- Compliance attestation from system administrators confirming enforcement
- Regular user access reviews confirming all accounts meet complexity standards
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates password complexity policy documentation and enforcement verification across your environment, eliminating manual audits of user accounts and providing audit-ready evidence that 8.3.5 requirements are consistently applied.
See how GRCWatch handles this control automatically
Start free trial