Frequently Asked Questions

< Back to search page

Why does PA-DSS v3 require passwords to be protected by a one-way hash (Requirement 3.3.2), whereas PANs can be stored in an encrypted form (Requirement 2.3)?

FAQ Response

A payment application is required to restrict administrative access and access to cardholder data to authenticated (Requirement 3.1.4), authorized (Requirement 3.1) users. Where users authenticate to the payment application using a password that is managed by the payment application, PA-DSS v3 requires passwords to be protected using a one-way hash function. A one-way hash function with a unique input variable is intrinsically more secure than a reversible cryptographic function because the original plain-text password can never be algorithmically determined from the hash.

An application never needs to access plain-text passwords. When a user creates a password for the first time, the application generates and stores a hash of the password. When the user next provides their password to authenticate their access, the application will hash the supplied password and compare it with the previously stored hash of the user’s password: the application will never need to retrieve the plain-text password as it can authenticate access by comparing two hashes, rather than two plain-text passwords.

However, where a payment application needs to store PANs which it subsequently needs to be able to access, the PANs can not be stored using a hash, because the payment application would not be able to retrieve the plain-text PAN from the hash. Therefore PA DSS allows PANs to be stored in an encrypted format but also requires appropriate key management (Requirement 2.4). However if a payment application only needed to store a record of a PAN as a reference, but never needed to use the plain-text PAN again, it would be more secure for the payment application to store a hash of a PAN.

May 2015
Article Number 1287

Related Articles

If a merchant develops an application that runs on a consumer’s device (e.g. smartphone, tablet, or laptop) that is used to accept payment card data, what are the merchant’s obligations regarding PCI DSS and PA-DSS for that application?

What are the PA-DSS Expiry Dates?

What is the difference between a Validated Payment Application which is shown on the PCI SSC website as “Acceptable for New Deployments” and one which is shown as “Acceptable only for Pre-Existing Deployments”?

What is the Council’s guidance on the use of SHA-1?

How does use of an expired PTS device affect my PCI DSS compliance?