Can a payment application that uses cryptographic keys hard-coded by the vendor be PA-DSS compliant if they cannot be changed by the customer?
No. In order to meet PA-DSS and PCI DSS requirements, the payment application must facilitate the customers’ ability to perform key changes periodically and as required by the customer in case of suspected compromise. This functionality must be included within the application along with instructions on how to perform key changes. If this requirement can only be met by reinstalling the application, the customer must be able to perform this process to change cryptographic keys without requiring a new software release or code update from the vendor. Additionally, the vendor must include instructions on key management processes, including performing key changes, as part of the PA-DSS Implementation Guide.
Article Number: 1053