Comment by jjav

> The only requirement for password rotation in PCI DSS v4.0 is if the password is the only form of authentication (i.e. no MFA). Use MFA (which you should be anyways) and you don't need to enforce password rotation.

We just completed our PCI audit for the year and the auditor is adamant that this is the requirement.

Perhaps they're wrong, but fighting with the auditors is like wrestling with pigs, best avoided.