PA-DSS 3.0 對密碼儲存方式的說明

PA-DSS (Payment Application Data Security Standard) 是 PCI SSC 訂出來提供給軟體開發商在支援交易時的標準:

PA-DSS was implemented in an effort to provide the definitive data standard for software vendors that develop payment applications.

這個標準也有很多版本,最新的 3.0 版是 2013 年 11 月公告的。剛剛在「Passwordscon 2014 - Password Security In The Pci Dss - Jarred White」這邊意外看到有提到密碼儲存的要求,出自 PDF 的 Page 34。

分成幾個部份,PA-DSS Requirements 的部份是寫:

3.3.2 Use a strong, one-way cryptographic algorithm, based on approved standards to render all payment application passwords unreadable during storage. Each password must have a unique input variable that is concatenated with the password before the cryptographic algorithm is applied.

標準規定必須使用 one-way cryptographic algorithm,並且必須要有 salt 的設計。

另外在 Guidance 則是直接建議使用 PBKDF2Bcrypt

Concatenating a unique input variable to each password before the hashing algorithm is applied reduces the effectiveness of brute force attacks. Examples of strong one-way cryptographic algorithms suitable for hashing passwords include PBKDF2 and Bcrypt.


參考 2012 年 ijliao 就有寫到的「請愛用 bcrypt 和 PBKDF2」。

One thought on “PA-DSS 3.0 對密碼儲存方式的說明”

Leave a Reply

Your email address will not be published. Required fields are marked *