A client uses blowfish where he provides what he calls a password along with the string to be encrypted. He argues the actual keys are dynamically created inside the encrypt/decrypt functions. Schneiers web site calls the "password" a variable length key. It all leads to 2.6 and 2.7 key mangement and secure deletion of keys. Thoughts?

The same password will always transform to the same encryption key value.
If you're not changing the passwords on at least an annual basis, then you are not managing keys in a PCI compliant manner.

lyalc