We use ACS 4.0 (TACACS local password) to control access to our switches and routers. We are now also getting involved with PCI. I have been told that to be PCI compliant we need to be able to ensure that the logon passwords to the switches and routers is changed regularly and that users cannot reuse the last 4 passwords. As far as I am aware ACS 4.0 and 4.2 only prevent the last password from being reused not the last 4. Is this correct. Also does anyone know if this is the correct interpretation of the PCI rules.