How is requirement 8.3.6 being presented given it is future dated but falls back on previous version 3.2.1 requirement 8.2.3?

In PCI DSS version 4.0 question 8.3.6 states that password complexity will require a minimum length of twelve characters (where twelve characters are supported, otherwise a minimum of eight characters is required), however this is a future dated requirement, best practice until after 31st March 2025. Until then, the PCI DSS version 3.2.1 version of this same requirement (8.2.3) should be applied.

8.2.3 asks: (a) Are user password parameters configured to require passwords/passphrases meet the following? – A minimum password length of at least seven characters – Contain both numeric and alphabetic characters Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the parameters specified above.

The version 4.0 SAQ question itself does not include any text from the version 3.2.1 question, and only refers to it in the applicability notes. Therefore, we have included a screen in the profile, that is presented to merchants of the following SAQ types: D, A-EP, C, C-VT and A.

“Do you enforce a minimum password length of seven characters, containing both numeric and alphabetic characters, for user accounts on all POS devices, computers and systems in your business?”

If the question is answered ‘Yes’, we auto-answer SAQ question 8_3_6 as ‘Yes’ and present a pop-up advising it is best practice until 31st March 2025.

Pop-up alert if answered yes: Please note: this is best practice until 31st March 2025, after which password complexity will require a minimum length of twelve characters (where twelve characters are supported, otherwise a minimum of eight characters is required)

If the question is answered ‘No’, we do not auto-answer SAQ question 8_3_6 and instead you will need to respond to this question directly in the SAQ.