Can you provide clarification on the user passwords referenced in PCI DSS 8.5?
PCI DSS requirement 8.5 requires all user passwords be securely managed. These requirements apply to all non-consumer users (not the cardholder) and administrators, not to credentials supplied by applications or systems. If the passwords are not used by individuals to log on to systems or accounts, and appropriate controls exist to mitigate the risk to passwords, all the requirements in 8.5 may not apply. However, it is an information security best practice to securely manage passwords used by applications and systems, which typically have administrative rights.