Hi Andrei!  Nice list of features! I'm looking forward to them.

I haven't seen discussion on meeting the latest PCI DSS 3.1 requirements.  I've looked in the 3.7 version and these do not look to be implemented there.  So, I'm interested in if these features are on your roadmap so that the PCI DSS 3.1 requirements below are covered in nopCommerce.

Here are the items in particular:

Requirement 8.1.7: Password attempt failure Lock-out set to 30 minutes minimum. (may be a admin configured setting)
Requirement 8.2.4: Passwords must be forced to change at least once every 90 days
Requirement 8.2.5: Do not allow an individual to submit a new password that is the same as any of the last four passwords used.
Requirement 10.1: Implement audit trails to link all access to system components to each individual user.
Requirement 10.2: Implement automated audit trails for all system components to reconstruct the following events:
Requirement 10.2.1: All individual accesses to cardholder data
Requirement 10.2.2: All actions taken by any individual with root or administrative priveleges
Requirement 10.2.3: Access to all audit trails
Requirement 10.2.4: Invalid logical access attempts
Requirement 10.2.5: Use of and changes to identification and authentication mechanisms including:
- creation of new accounts
- elevation of privileges
- changes, additions, or deletions to accounts with root or administrative privileges
Requirement 10.2.6: Initialization, stopping, or pausing of audit logs
Requirement 10.2.7: Creation and deletion of system level objects (db tables, stored procs, etc)
Requirement 10.7: Retain audit trail history for at least one year with 3 months minimum available for analysis.