PCI-Compliance Debate

A heated debate is about ready to start at work tomorrow…

One of my bosses sent out an e-mail stating that “To be PCI-Compliant, all users must re-set their passwords every 90 days!!”

This is for an e-commerce site where we are using a 3rd-Party Payment Processor but will be storing basic things like E-mails, Names, and Addresses.

I say that she doesn’t understand what the PCI-Compliance Guidelines say…


I agree. The 90 day thing is silly even where it applies, but if you are not collecting credit card details, it’s going way overboard.

There two things to debate here:

  1. Do you need to be PCI Complaint if you are using a 3rd party payment processor
  2. Is the 90 days requirement valid

If the answer to #1 is yes, the answer to #2 is yes as well. See requirement 8.5.9 here https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf

#1 is less straight forward and it depends on the answer to:
Does your company handle credit cards directly?
The fact that you have a 3rd party processor does not necessarily imply that you do not deal with credit cards, even if they are not stored on your servers. If this processor provides a hosted payment page which does not reside on your domain you are probably OK. But if your site uses an API to process the cards, meaning card numbers are collected on your domain and then passed to the processor you are exposed to PCI requirements. You can reduce the PCI audit scope by proving that card numbers are not stored locally but you still need to answer all basic requirements.
Also, if you have phone, email or fax sales you are dealing with credit cards and thus exposed to PCI requirements.

And the bottom line is that if you deal with credit card numbers, in any way, and if users have access to the systems that deal with card numbers you will need to make sure that passwords are refreshed every 90 days.

Hope this makes sense.

Who is a “user”?

The way that link reads is that it is the “Customers”.

Name one e-commerce in the world that requires “Customers” to re-set their password every 90 days?

Also, our Lead Developer found a link that says “Only Admins, Service Providers, etc need to re-set their passwords every 90 days.” (I don’t have the link from work.)


That sounds more accurate to me. Only one third-party cart that I’ve used requires me—as the developer—to reset my password every 90 days. But the customers who use the cart are never asked to do the same.


I thought that in “users” you were referring to company employees in your original post.
There is no requirement to reset your customers’ password every 90 days. As far as I know the way you manage passwords in your web application for web site visitors is not in the scope of PCI.


Someone sent me this link…


Looks like this is the key point to help me and the Lead Developer win our argument…

8.5 Ensure proper user identification and authentication management [B]for non-consumer users and administrators on all system components as follows:

8.5.9 Change user passwords at least every 90 days.