Unfortunately, not all guidelines have caught up. PCI-DSS still requires password changes every 90 days for anything in scope (the cardholder data environment, anything that might even remotely touch payment card data).

Not with MFA. Not for a while now. And regardless, the word(s) you are looking for is "compensating control".