Does PA-DSS Requirement 3.3.2 apply to passwords used by the payment application to access other systems/applications (e.g. for the payment application to access a third-party database)?
PA-DSS Requirement 3.3.2 applies to all passwords generated or managed by the payment application that are used to authenticate access to the payment application. This requirement is not intended to apply to third-party system or database passwords that the payment application uses to access other system resources. Where a payment application needs to store such passwords, it should protect them in accordance with the password security controls of the third party application or system; for example, by using strong two-way encryption and implementing procedures to protect the keys used to secure the stored passwords.
Article Number: 1288