To whom do the PCI DSS password requirements apply?
The password requirements of PCI DSS, among everything else, state that you must enforce a very specific password policy:
You need to force the users to change their passwords every 90 days, their passwords cannot be shorter than 7 characters, etc.
...
On who does the policy apply? Does it apply on the simple user / customer or is it talking about the staff / moderators?
To quote the DSS 3.2, intro text to Requirement 8 ("Identify and authenticate access to system components"):
Note: These requirements are applicable for all accounts, including
point-of-sale accounts, with administrative capabilities and all
accounts used to view or access cardholder data or to access systems
with cardholder data. This includes accounts used by vendors and
other third parties (for example, for support or maintenance). These
requirements do not apply to accounts used by consumers (e.g., cardholders).
As far as I know, large companies such as Google, Facebook, PayPal and many more don't enforce that policy. For example, none of them freeze your account after a period of non-activity as PCI DSS requires and services such as Facebook allows your password to be 6 chars long (which is less than the 7 chars min stated in the PCI DSS requirements).
Those companies are PCI DSS Level 1 Service Providers and are listed in the PCI DSS Service Providers index.
Google and PayPal are; I don't see Facebook on the Visa SP Listing. But as above, it's not your account - consumer account - that is governed by PCI DSS. And, especially with a company like Google, it's easy to have an account that never goes near touching a credit card or credit processing function. So it's not that surprising.
It applies to passwords of users who have access to networks where card data is stored, who will normally be employees or contractors of the company. It doesn't apply to customer passwords, unless for some reason those passwords allow access to card data (not including the first six and last four digits of the card number, which don't have to be protected).