What must service-provider documentation include regarding non-consumer customer passwords?

Password management for non-consumer customers must be documented in a way that establishes how often passwords are changed and under what conditions a change is required. This ensures there is a clear, repeatable policy for protecting access, rather than relying on ad hoc or fixed, potentially inappropriate intervals. The correct approach states that non-consumer passwords are changed periodically and provides guidance on when and why to change them (for example, after a suspected compromise, role change, or other triggering events). Choosing a strict fixed interval like every 30 days or every two years isn’t required by PCI DSS, and claiming passwords are never changed would create a security gap. The emphasis is on having a documented policy that includes periodic changes and specific circumstances that prompt a change.