Currently Okta lets AD mastered users reset their password to either the current password or from recent history. Note our AD policy prevents users from using passwords from recent history, as does our current password reset tool. Okta bypasses those restrictions. Our QSA has ruled Okta as PCI in-scope as a supporting system and if we move forward with Okta we will likely fail our PCI audit. As a result we have halted our Okta implementation because this is a violation of PCI DSS 3.0 requirement 8.2.5.
Okta has acknowledged this as a defect and plans on starting work on the fix in March 2016 or so. No telling when the fix will actually be available.
If someone has faced this issue, have you implemented any workarounds? Perhaps implemented your our API?