PCI 8.6.1 says:
Limit repeated access attempts by locking out the user ID after not more than six attempts.
But says nothing about a minimum duration between the first failed login attempt and the last failed login attempt. If a user fails to login 6 times over a 2 minute period, obviously he should be locked out. But what if he fails to login 6 times over a 2 day period? Would it be reasonable to assign each login attempt an expiration date (say, 12 hours)? Would this violate PCI requirements?
