maravis.com

Please note that a newer version of this post is available here. The information below pertains to PA DSS v1.2 that was retired in December 2011.

PA DSS requires vendors to ensure that the chain of trust is maintained for all installation and update files. These are primarily laid out in 7.2.a and 7.2.b PA-DSS 1.2 document. What this means is that customers should be able to verify that the files that they install/update are actually from you (authentication) and that they have not been modified (integrity).

I get a lot of questions from clients going through PCI or PA DSS assessments about what encryption and key strengths to use. The requirements just say that strong encryption should be used without going into details on algorithms or key strengths. Most people have no clue on what can be used and what cannot.

One of the more common questions that I get from clients is whether other cardholder data elements such as name, expiry date, etc. need to be encrypted when stored in conjunction with the PAN (Primary Account Number) to be PCI compliant. As with most PCI DSS requirements many people, including QSAs, insist that anything that is stored in conjunction with the PAN need to be encrypted or otherwise rendered unreadable.