Comment by qualeed

PCI DSS 4.0 does not require password rotation unless the password is the only authentication (i.e. no MFA).

Use MFA, and you don't need to rotate.

>Clarified that this requirement applies if passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation).

>Added the option to determine access to resources automatically by dynamically analyzing the security posture of accounts, instead of changing passwords/passphrases at least once every 90 days.