1

I see PCI compliance related only to password security, as far as storage and transmission goes, for user names and email accounts. How does this relate to passwords for programs that run on a PCI compliant machine? For instance: Someone transmitting plain text passwords from a configuration file in an email.

Is this considered a violation of PCI compliance?

Steven Volckaert
  • 1,203
  • 9
  • 15
Anthony Miller
  • 257
  • 1
  • 8

1 Answers1

2

PCI-DSS requirement 8.4

Render all passwords unreadable during transmission and storage on all system components using strong cryptography.

If it's strictly sending passwords for configuration files, you should send them in an encrypted form through email. The best way would be by using PGP/GPG.

Lucas Kauffman
  • 54,437
  • 17
  • 116
  • 196