What is the minimum password change interval?

• A. Every 90 days
• B. Every 120 days
• C. Every 180 days
• D. Every 365 days

Answer: (A)

The main idea here is how often passwords should be rotated to limit the window of opportunity for misuse if credentials are compromised. PCI DSS sets a minimum interval of 90 days for changing user passwords. Requiring periodic changes helps ensure that a password won’t remain valid indefinitely, reducing the risk that stolen or leaked credentials can be abused for a long time. If there’s any suspicion of a compromise, passwords must be changed immediately, which is an even stronger protection beyond the standard interval. Shorter intervals (like 90 days) strike a balance between security and user burden, whereas longer intervals give attackers more time to exploit stolen credentials.