PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Reference Content: This is a copy of content from the PCI Security Standards Council FAQ database, preserved for tracking changes over time.
FAQ #1289 Deleted

Does the PA-DSS v3.0 requirement for hashing stored passwords meet PCI DSS Requirement 8.2.1?

Yes; PA-DSS v3.0 requires that a strong, one-way cryptographic algorithm with a unique input variable be used to render all payment application passwords unreadable during storage. This meets the intent of PCI DSS Requirement 8.2.1, which is that passwords be rendered unreadable using strong cryptography. PCI DSS does not require that all passwords be hashed; they could, for example, be encrypted with an appropriate algorithm and strong cryptographic key. While PCI DSS provides flexibly for different methods to be used to protect passwords, PA-DSS v3.0 specifically requires the use of a strong hash with unique input variable.

View all versions Back to recent changes

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.