[PA-DSS] 3.3 Encrypt payment application passwords during transmission and storage, using strong cryptography based on approved standards (defined in PCI DSS Glossary, Abbreviations, and Acronyms)

[admin]

3.3 Encrypt payment application passwords during transmission and storage, using strong cryptography based on approved standards (defined in PCI DSS Glossary, Abbreviations, and Acronyms).

PCI Data Security Standard Requirement 8.4

Testing Procedures:

3.3 Examine payment application password files during storage and transmission to verify that passwords are encrypted at all times.

[jgross]

One of the biggest factors for card data theft is a result of ineffective protection against stored data, and not complying to PCI DSS. The industry is starting to trend toward tokenization technology more, to help limit this issue. The result is that the card information is transferred to a PCI DSS compliant data storage facility, leaving a unique identifier (token) that points to the actual data without containing any sensitive information itself.

This encryption technique is one that is becoming implemented more often in the industry, and the result is better security against data theft. There is good information about this technology in this tokenization white paper.