Which method must assessors use to verify user password changes as required by PCI DSS?

The correct answer involves reviewing system configuration settings to ensure that password changes must occur after a specified period, such as 90 days. This verification process is critical for maintaining the integrity and security of user accounts. By checking the system configuration, assessors can confirm that the organization has established and enforced policies regarding password expiration which are mandated by the PCI Data Security Standards.

This approach ensures that users regularly update their passwords, thereby reducing the risk of unauthorized access stemming from forgotten or compromised credentials. Configurations that lead to automatic password expiration are a proactive measure in safeguarding sensitive information within the payment card environment.

Reviewing system configurations also provides a clear and documented way to verify compliance without needing to rely on potentially time-consuming testing methods or the subjective accounts from personnel, which could introduce variability in the assessment. This method promotes a structured and auditable approach to compliance verification, aligning with the overarching goals of PCI DSS to protect cardholder data.