The PCI requirement is to change passwords every 90 days.

And is patently silly, forcing the requirement to decrypt rarely used private keys every 90 days.

The requirement should depend on password and hash strength, not some arbitrary decision.

PCI does not recommend employing password entropy checkers either.

90 day password can be weak while passing all the requirements.

Everywhere I've worked appears to have their own way of circumventing the security of PCI requirements. On a military base I worked everyone used an easily recognizable pattern on the keyboard. Another place was something like [employer][symbol][123 or 321]. All too often people use the same pattern that the IT team uses when they reset your password. So if the IT team typically sets your password to WhyCombin@tor1, then everyone's going to cycle through 1-10.

Making people reset their password every 90 days probably causes more problems than it solves and incentivizes more easily guessable passwords.

PCI in general is patently silly.