Frequently Asked Questions

< Back to search page

Does hashing of passwords meet the intent of PCI DSS Requirement 8.2.1?

FAQ Response

Using strong cryptography to hash the password meets the intent of the PCI DSS Requirement 8.2.1, which is to prevent unintentional disclosure of the passwords during transmission over the network or during storage.

Please refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms for additional information on hashing.

(Note: PCI DSS Requirement numbers refer to PCI DSS version 3)

May 2014
Article Number 1253

Related Articles

Does a QSA need to be onsite at the client’s premises for all aspects of a PCI DSS assessment?

If a merchant develops an application that runs on a consumer’s device (e.g. smartphone, tablet, or laptop) that is used to accept payment card data, what are the merchant’s obligations regarding PCI DSS and PA-DSS for that application?

What are acceptable formats for truncation of primary account numbers?

Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for onsite assessments?

What is the role of acquirers and assessors in determining the applicability of PCI DSS requirements for a merchant’s PCI DSS assessment?