Thread: Stop forcing customer password reset

I want to stop forcing customers who visit my site infrequently to reset their password.

I have looked through the app config variables, but the variables I saw seem to only apply to administrators.

Does anyone have any idea of how to accomplish this?

Thanks,
Eric

Please be reminded that the periodic password change for the customer is PCI requirement.

Ok. I get that periodic password changes are part of PCI compliance.

How do sites like Amazon (same password for the last six years) skirt that issue and remain in compliance? My older customers (who are the bulk of my customers) are annoyed at having to change their passwords so often. Unhappy customers tend to go elsewhere.

Is there any way to lengthen the password change requirement for customers only? I have not see any config variables that deal with this.

I've had the same Paypal password for years as well. Same with Ebay, Amazon, Fedex, and many, many other major players. In fact, I don't think I've ever been forced to change a password by anyone except SalesForce.com - and they are on the far extreme of being uber-strict about reusing passwords, etc. - it is very annoying.

Is the software's PCI compliant status negated if a store owner has the ability to change an AppConfig to relax the restrictions? Can't it be PCI compliant with all appropriate AppConfigs enabled, otherwise use at your own risk? Maybe even a compliance check in the Admin panel like there is for Security best practices?

It seems like software can only offer "compliance" and encourage customer "adherence" as a best-practice... not force it. After all, the cart can always be customized with source to break the compliance anyway.

Just a thought.

I understand the importance of PCI compliance, it helps to put this product on the pinnacle of the professional scale. However, I also do strongly feel that forcing a continual password reset on a customer, can be a huge turn off to users and is bad for business.

We don't actually force customer password resets, only admin users. If your customers are being forced to do that, then something's been modified (or you've somehow managed to set them all up as admin users - EEK!).

The rule Louie was referring to was for what the PCI SSC calls "non-consumer users and administrators", 8.5.9 of the PCI-DSS:

Change user passwords at least every 90 days.

The field "PwdChanged" in the Customer table is what triggers the passwords needing to be changed. Set it to 1/1/2020 and you won't be prompted to change your password.