PCI DSS 8.3.7: Prevent Password Reuse
Password reuse is a critical vulnerability that undermines authentication security. PCI DSS 8.3.7 requires organizations to prevent users from resubmitting any of their last four passwords, forcing regular password rotation and reducing the risk of compromised credentials being exploited repeatedly. This control is essential for maintaining strong access controls across cardholder data environments.
What this means
This control mandates that user authentication systems reject any new password that matches any of the user's four most recently used passwords. The requirement ensures that password history is tracked and enforced at the system level, preventing users from cycling through the same weak passwords or reusing previously compromised credentials. Organizations must configure authentication systems to maintain password history and validate new passwords against this history before acceptance.
How to comply
- 1.Configure your authentication system or directory service (Active Directory, LDAP, etc.) to enforce password history of at least 4 passwords.
- 2.Set password policy to reject any new password matching the last 4 passwords in the user's history.
- 3.Document your password history configuration settings and retention period.
- 4.Test the policy by attempting to reuse recent passwords and verify rejection occurs.
- 5.Train users on the password reuse prevention requirement and the rationale behind it.
- 6.Monitor and log all password change attempts to detect circumvention attempts.
Evidence auditors look for
- Active Directory Group Policy Objects (GPOs) configured with password history minimum of 4 passwords
- Authentication system configuration screenshots showing password history enforcement settings
- Log files or reports documenting rejected password change attempts due to reuse
- User communication or training materials explaining password reuse prevention policy
- System documentation detailing how password history is stored and validated
- Periodic audit reports confirming password history settings remain in place
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically enforces and documents password history policies across your infrastructure, generating audit-ready evidence of compliance with 8.3.7 without manual configuration audits.
See how GRCWatch handles this control automatically
Start free trial