The intent of PCI DSS Requirement 8.1.6 and 8.1.7 is to prevent a malicious user from gaining access to users' accounts, by continually trying to guess a user’s password over and over. The lockout occurs after no more than six consecutive failed login attempts, and remains in place for at least 30 minutes or until reset by the administrator. These lockout parameters are the minimum to be implemented; more stringent parameters may be used.
Note: PCI DSS Requirement numbers refer to PCI DSS version 3.
Article Number 1072