📝 Overview
Your software’s password security settings help maintain account safety for both employees and customers.
Admins can define password expiration intervals, enforce complex password rules, and automatically disable inactive or compromised accounts. These settings help ensure compliance with PCI standards and reduce unauthorized access risks.
🛠️ Setup
Click the arrow to learn how to adjust your password and security settings
Click the arrow to learn how to adjust your password and security settings
Go to Company Settings.
Select the Security tab.
Under User Password Settings, review the following options:
Password Expiration Policy
Never require password change (non-PCI Compliant)
Require new password every 90 days (PCI Compliant)
Require new password every 365 days (non-PCI Compliant)
Enable Secure Password and User Account Policies
Password Complexity: Requires at least 8 characters, including one uppercase letter, one lowercase letter, one number, and one symbol.
Password Re-use: New password must differ from the last 8 passwords.
Login Account Freeze: After 5 unsuccessful attempts, the account freezes for 30 minutes. Admins can manually unfreeze accounts from the employee page.
Unused Account Disabling: Disables login for accounts inactive for 90 days (existing users) or 15 days (new users). Admins can re-enable accounts manually.
⚙️ How It Works
Click the arrow to learn what each setting does
Click the arrow to learn what each setting does
When Password Expiration Policy is set, users must reset their password once the interval (90 or 365 days) has passed.
If Secure Password and User Account Policies are enabled:
The password expiration period defaults to 90 days.
Password complexity, re-use prevention, and failed login limits are enforced.
Inactive accounts automatically disable based on the inactivity threshold (90 or 15 days).
Frozen or disabled accounts must be manually reactivated by an admin.
💡 Pro Tips
⚠️ Use the 90-day expiration policy to maintain PCI compliance and reduce vulnerability risks.
🧠 Keep at least two admins active so one can unlock or re-enable accounts if the other is unavailable.
💬 Communicate password updates ahead of time to avoid user frustration and login delays.
⛔️ Avoid choosing “Never require password change” unless your environment is strictly internal or for testing.
📌 Periodically review inactive accounts and remove those no longer in use to maintain data integrity.
❓ Frequently Asked Questions (FAQs)
Click the arrow to view frequently asked questions
Click the arrow to view frequently asked questions
What does PCI compliance mean in this context?
Click the arrow to see the answer
Click the arrow to see the answer
PCI compliance ensures your password policies meet industry standards for protecting stored or transmitted payment data.
Can I select “Never require password change”?
Click the arrow to see the answer
Click the arrow to see the answer
Yes, but this option is not PCI compliant and is best suited for internal testing or demo environments only.
How do I unlock a frozen user account?
Click the arrow to see the answer
Click the arrow to see the answer
Go to the employee’s profile and select Unfreeze Account to restore login access.
What happens if I disable Secure Password and User Account Policies?
Click the arrow to see the answer
Click the arrow to see the answer
Password complexity, re-use limits, and automatic disabling rules will no longer apply. You’ll have full manual control over expiration and security.
How long is an account locked after failed login attempts?
Click the arrow to see the answer
Click the arrow to see the answer
An account remains frozen for 30 minutes or until an admin manually unfreezes it.
Is there a way to stay logged in and not have to re-enter password?
Click the arrow to see the answer
Click the arrow to see the answer
This is a security feature that is necessary and not adjustable. The timeout happens when the page has no activity for 15 minutes. To avoid this we suggest just moving around on the page every so often.