Must Windows-level passwords be changed regularly on Windows-based POS PCs and/or back office POS servers for PCI compliance? Or must they only be changed from vendor defaults?

If they must be changed regularly, it creates an ongoing administrative nightmare, so I'm hoping no is the answer...

Must Windows-level passwords be changed regularly on Windows-based POS PCs and/or back office POS servers for PCI compliance? Or must they only be changed from vendor defaults?

If they must be changed regularly, it creates an ongoing administrative nightmare, so I'm hoping no is the answer...

My initial response would be yes, if any credit card data is being processed (and since it's a POS, I would assume so). Req 8.5.9 states:

8.5.9 Change user passwords at least every 90 days
8.5.9 For a sample of system components, critical servers, and wireless access points, obtain and inspect system configuration settings to verify that user password parameters are set to require users to change passwords at least every 90 days.


Here's another useful document specifically regarding POS Vulnerabilities:
http://usa.visa.com/download/merchants/top_three_pos_system_vulnerabilities_112106.pdf

It reiterates enforcing password policies (including changing passwords at least every 90 days).
It definitely would cause a headache... anyone out there have any solutions or ideas to help ease this issue if there are a large number of POSes?