"8.4 Encrypt all passwords during transmission and storage, on all system components"

Does the encrypted storage requirement also apply to customer account passwords on an e-commerce website?

Thanks.

Bottom line - yes. Passwords should be encrypted in storage and during transmission.

David Mertz
Partner
Compliance Security Partners, LLC
816 256-2125

Just a quick note that hashing passwords is significantly easier than encryption as it avoids all the key management issues related to encryption.

Just a quick note that hashing passwords is significantly easier than encryption as it avoids all the key management issues related to encryption.

Yes, but hashing is susceptible to rainbow attacks, so nothing is perfect.