PCI DSS 8.3.6: Enforce Minimum Password Length Requirements
Password length is your first line of defense against brute-force attacks. PCI DSS 8.3.6 requires organizations to enforce minimum password length standards to protect cardholder data. This control is foundational to any credible authentication strategy.
What this means
PCI DSS v4.0 requires that all passwords and passphrases meet defined minimum length requirements. This control strengthens authentication security by ensuring passwords have sufficient complexity and resistance to cracking attempts. The specific minimum length thresholds are determined by your organization's security policies and should align with industry best practices.
How to comply
- 1.Define and document minimum password length requirements in your password policy (typically 12+ characters for strong security)
- 2.Configure all systems, applications, and user directories to enforce the minimum length at account creation and password changes
- 3.Implement technical controls in identity and access management (IAM) systems to reject passwords below the minimum threshold
- 4.Communicate password requirements to all users and provide guidance on creating strong passphrases
- 5.Regularly audit user accounts to identify non-compliant passwords and enforce updates
- 6.Test enforcement mechanisms across all systems handling cardholder data
Evidence auditors look for
- Password policy documentation specifying minimum length requirements
- System configuration screenshots showing enforced minimum length settings
- IAM system logs demonstrating rejection of passwords below minimum length
- User communication records explaining password requirements
- Audit reports showing percentage of compliant passwords across systems
- Test results validating enforcement across all covered systems
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically monitors password policies across your systems, alerts you to enforcement gaps, and generates audit evidence for PCI DSS 8.3.6 without manual configuration.
See how GRCWatch handles this control automatically
Start free trial