-1

i'm developing an android app that must be PCI PA-DSS compliant, my question is about this requirement in the PA-DSS_v3-1 document

3.3.1 Use strong cryptography to render all payment application passwords unreadable during transmission.

let's say i have a "change your pasword" feature in my app that transmits the user's account password over a ssl/tls encrypted connection to the server. Is this encryption sufficient to comply to the requirement? do i need to implement some kind of encryption before sending it through ssl?

thank you.

Gil Hamilton
  • 11,973
  • 28
  • 51
Leonardo Perez
  • 19
  • 1
  • 5
  • A little birdie tells me that additional encryption is required but haven't seen it in the docs. But I can stay the PCI advice on [password cracking times](https://www.pcisecuritystandards.org/pdfs/its_time_to_change_your_password_infographic.pdf?agreement=true&time=1467522615644) are pure BS it seems they are not aware of [password lists](https://github.com/danielmiessler/SecLists/tree/master/Passwords) or [cracking tools](http://resources.infosecinstitute.com/10-popular-password-cracking-tools/). – zaph Jul 03 '16 at 05:17

1 Answers1

0

The PCI standard can be vague at times and a little 'open ended', but from our experience, its quite OK as you have it.

SSL/TLS IS the encryption, just use it for your forgotten password feature and you'll be fine.

BuyerShield.com
  • 11
  • It seems that the phrase "during transmission" would seem to allow a SSL/TLS secure transmission media. But secure authentication would be necessary, that is ensuring no MITM attack. If a MITM attack can not be guaranteed then SSL/TLS is not secure. Typically this authentication might be accomplished with certificate pinning, that is verifying the correct certificates of each party. – zaph Jul 03 '16 at 14:59