The Section 8.5.9 of PCI DSS is stating “change user passwords at least every 90 days”. Why is Symantec breaking it out by OS?
 

There are the following reasons why Symantec is breaking this recommendation by OS:
 
1. The Section 8.5.9 of PCI DSS which is stating “change user passwords at least every 90 days” is giving a general recommendation to all types of operating systems but this may change in the future and this recommendation may be diversified by operating systems depending on development paths of operating systems. 

 
2. Depending on regulatory and business requirements different organizations may apply different requirements to each type of operating system used in the organization. In high security organizations or departments there may be a need to fulfill higher security requirements (exceeding PCI DSS recommendations) for selected operating systems.
 
3. The CCS product provided by Symantec is offering the flexibility in selecting and applying the standards and policies in the areas needed by your organization. This product flexibility is allowing you also to create your own standards and policies which will better reflect your needs.