Frequently Asked Questions

< Back to search page

Can a payment application that implements the same cryptographic keys across multiple installations be PA-DSS compliant?

FAQ Response

No. If cryptographic keys are provided by the application vendor as part of the application, the keys must be unique to each customer or installation. An application that requires the same key to be used across all installations or by different customers does not meet the requirement for "strong cryptography". If the application includes any default cryptographic keys, those keys must be able to be changed by the customer. Additionally, the vendor must provide instructions in the PA-DSS Implementation Guide that all default keys must be changed and how to perform the key changes.

September 2010
Article Number 1052