PCI Compliance Password Requirements
NetSuite abides Payment Card Industry Data Security Standard (PCI DSS) password requirements. Users with either the View Unencrypted Credit Cards permission or the View Unencrypted ACH Account Numbers permission must change their passwords at least every 90 days.
If the number of days set in the Password Expiration in Days field on the General Preferences page is less than 90 days, the company requirement remains in effect. For example, if a company is set to expire passwords every 60 days, your password expiration date does not change. However, if the company is set to expire passwords every 120 days, this setting automatically changes to 90 days for users with either the View Unencrypted Credit Cards permission or the View Unencrypted ACH Account Numbers permission.
Passwords for users with access to unencrypted credit card numbers or unencrypted ACH accounts must have a minimum of 12 characters. If the number of characters set in the Minimum Password Length field on the General Preferences page is greater, that greater requirement remains in effect.
All users with access to unencrypted credit card numbers or unencrypted ACH accounts must change passwords to comply with the PCI requirements.