What is the policy regarding reusing previous passwords?

• A. Do not allow an individual to submit a new password/phrase that is the same as any of the last four passwords/phrases.
• B. Reuse is allowed after four changes.
• C. Reuse is allowed if the user is supervised.
• D. Reuse is allowed after 90 days.

Answer: (A)

The concept being tested is password history enforcement: preventing reuse of recently used passwords. In PCI environments, a password policy typically remembers a set number of previous passwords and forbids creating a new one that matches any of them. Four previous passwords is a common threshold, so you can’t reuse any of those recent values. This strengthens security by stopping the simple rotation of a small password set and reducing risk if a password was compromised or captured. It works alongside other controls like minimum length and complexity to provide stronger overall protection. The other options would weaken security—reusing after a fixed number of changes, requiring supervision, or waiting a long period like 90 days—because they still allow cycling back to recent passwords or are not practical, scalable policies for PCI environments.