Why does Monetra make me change my password every 90 days?

Overview

Monetra is a PA-DSS validated payment application and therefore must adhere to the rules set forth by the PCI Security Standards Council. In particular, Monetra is complying with PCI DSS Requirement 8.5.9: Change user passwords at least every 90 days.

For more information regarding PCI DSS, please visit: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

Integrated Applications (POS, Web Sites, etc)

If you are using Monetra via an integrated application which provides its own access control methods, you can bypass Monetra's password change policy while still being in compliance with requirement 8.5.9.

In order to appropriately bypass Monetra's password change requirement, the recommended route is to create a Monetra sub-user with a limited set of permissions (only granting permissions to the functions which the integration actually uses), and also select the 'unattended' option during the sub-user creation. The 'unattended' option will inform Monetra that this sub-user is intended to be used by an integrated application which handles its own access control.

Managing password expirations externally

Managing password expirations externally to Monetra is not recommended, but is possible. To do this, you must disable password expiration in Monetra globally. Enter the Monetra Manager, go to Security -> Passwords, and set Force Password Change Days to 0, Apply, and let the Manager restart Monetra. Or for those who want to edit Monetra's configuration directly, in main.conf, set force_password_change_days=0.

If Managing password expirations externally, do not forgot to change each user's password every 90 days in order to stay within compliance with PCI DSS.