PCI Requirement 8.2.1 – Use Strong Cryptography to Render All Authentication Credentials Unreadable During Transmission and Storage

by Randy Bartels / December 21st, 2017

Strong Cryptography in Transmission and Storage

PCI Requirements 3 and 4 help your organization implement strong cryptography methods, and we see it again here in PCI Requirement 8. Using strong cryptography is essential to protecting cardholder data. An attacker can easily capture unencrypted passwords during transmission and while in storage, and use this data to gain unauthorized access to your system or to the cardholder data environment. To prohibit this interception, PCI Requirement 8.2.1 requires, “Using strong cryptography, render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components.”

To verify compliance with PCI Requirement 8.2.1, your organization’s vendor documentation and systems will be examined, along with a sample of your own system components, to ensure the use of strong cryptography to render all authentication credentials unreadable during transmission and storage. Service providers must undergo additional testing procedures so assessors can observe password files and confirm that non-consumer customer passwords are also unreadable during transmission and storage.

One of the holy grails of an attacker is to get to all of the usernames and passwords, because at that point it’s kind of game over. In order to prevent that type of thing from occurring, the PCI DSS requires two things around passwords. These passwords need to be encrypted when they’re being transmitted over your internal network, and they also need to be encrypted when they are stored.

Back in PCI Requirement 6.3, we talked about having an SDLC that takes PCI DSS into account. This might be one of those situations where you ask yourself, “How are we going to authenticate?” If you’re using a local authentication store, the passwords that you’re storing need to be stored in an encrypted format. From an assessor’s perspective, we’re going to look at all of your applications and how you’re authenticating. We’re then going to look at all of your authentication stores where your usernames and passwords reside and we’re going to look to see that they’re actually encrypted.