Frequently Asked Question

Does the PA-DSS v3 requirement for hashing stored passwords meet PCI DSS Requirement 8.2.1?

Yes; PA-DSS v3 requires that a strong, one-way cryptographic algorithm with a unique input variable be used to render all payment application passwords unreadable during storage. This meets the intent of PCI DSS Requirement 8.2.1, which is that passwords be rendered unreadable using strong cryptography. PCI DSS does not require that all passwords be hashed; they could, for example, be encrypted with an appropriate algorithm and strong cryptographic key.  While PCI DSS provides flexibly for different methods to be used to protect passwords, PA-DSS v3 specifically requires the use of a strong hash with unique input variable.  
May 2015
Article Number: 1289