PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Reference Content: This is a copy of content from the PCI Security Standards Council FAQ database, preserved for tracking changes over time.
View Original →
FAQ #1288 Published

Does PA-DSS Requirement 3.3.2 apply to passwords used by the payment application to access other systems/applications (e.g. for the payment application to access a third-party database)?

PA-DSS Requirement 3.3.2 applies to all passwords generated or managed by the payment application that are used to authenticate access to the payment application. This requirement is not intended to apply to third-party system or database passwords that the payment application uses to access other system resources. Where a payment application needs to store such passwords, it should protect them in accordance with the password security controls of the third party application or system; for example, by using strong two-way encryption and implementing procedures to protect the keys used to secure the stored passwords.

View original on PCI SSC website View all versions Back to recent changes

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.