If your organization processes, transmits, or stores card payment data, you must comply with the PCI DSS guidelines to safeguard the sensitivity of card payment transactions. The guidelines listed in the PCI compliance key management requirements will help secure any sensitive card payment data you store or process. Read on to learn more.
Best Practices for PCI Compliance Key Management
Using cryptographic keys to safeguard card payment data at rest and in transit is most effective when it aligns with the PCI compliance key management requirements.
This blog will provide an overview of:
- The updated PCI DSS Requirements per the recently released version 4.0
- The PCI compliance key management requirements listed under DSS Requirement 3
Compliance with the PCI key management requirements and the broader DSS framework will help safeguard card payment data from data breaches.
With the help of a PCI compliance partner, you will optimize your security controls to the required PCI compliance key management standards.
What are the PCI DSS Requirements?
The Payment Card Industry (PCI) Security Standards Council (SSC) developed the Data Security Standards (DSS) to secure account data collected, processed, stored, or transmitted during card payment transactions. The PCI DSS Requirements provide guidelines to help organizations implement robust security controls, such as those for PCI compliance key management.
Newly Released PCI DSS v4.0
In March of 2022, the PCI SSC released a new version of the PCI DSS (v4.0) to replace the current version, v3.2.1, which has been in use since 2018. Organizations can continue to use v3.2.1 for two years, after which it will be ineffective at the end of March 2024. The transition period will help organizations understand the new DSS v4.0 and implement necessary changes.
Per PCI DSS v4.0, the 12 principal Requirements include:
- Requirement 1 – Implement network security controls
- Requirement 2 – Secure all system components
- Requirement 3 – Safeguard stored account data
- Requirement 4 – Safeguard the transmission of cardholder data during transmission over open, public networks
- Requirement 5 – Secure systems and networks from malicious software
- Requirement 6 – Implement safeguards for systems and software
- Requirement 7 – Limit access to system components and cardholder data by business need
- Requirement 8 – Implement user access controls to system components
- Requirement 9 – Control physical access to cardholder data
- Requirement 10 – Track user access to system components and cardholder data
- Requirement 11 – Assess the security of systems and networks periodically
- Requirement 12 – Implement organizational policies to support IT security
Understanding how each of the PCI DSS Requirements plays into your organization’s specific security needs will help you optimize compliance for the long term. It is also much easier to adjust your security controls—including those of PCI compliance key management—to the standards required by PCI DSS v4.0 with the guidance of a PCI compliance advisor.
PCI DSS Requirement 3 – Safeguard Stored Account Data
Requirement 3 of the DSS outlines the necessary safeguards for PCI compliance key management and requires organizations to secure all stored account data.
Account data refers to:
- Cardholder data (CHD), including:
- Primary account numbers (PAN)
- Cardholder name
- Expiration date
- Service code
- Sensitive authentication data (SAD), including:
- Full track data
- Card verification code (e.g., CVV, CVC)
- Personal Identification Number (PIN)
PCI DSS Requirement 3 contains seven sections, each listing the safeguards necessary to keep stored account data secured at all times:
- Section 3.1 – Develop an understanding of the processes and mechanisms for safeguarding stored account data.
- Section 3.2 – Minimize the storage of account data.
- Section 3.3 – Avoid storing sensitive authentication data (SAD) following authorization.
- Section 3.4 – Prevent access to full primary account number (PAN) displays and restrict any copying of cardholder data.
- Section 3.5 – Secure PAN wherever it is stored.
- Section 3.6 – Safeguard the cryptographic keys used to secure account data.
- Section 3.7 – Define and implement processes for cryptographic key management.
The safeguards listed in Requirement 3 will help you optimize PCI compliance key management and streamline encryption and other cryptographic practices.
Storage of Cryptographic Keys
If your organization uses disk-level encryption to encrypt account data and render it unreadable, the cryptographic keys used must be securely stored. Disk-level encryption only encrypts a given disk or partition but does not encrypt the account data stored on the disks or partitions. Additionally, disk-level encryption provides access to the entire operating system—including read/write commands—with just a password at the start of a user’s session.
Compliance with the PCI key management requirements requires separate storage of the cryptographic keys securing account data from the access control and authentication methods used to secure the operating system.
Protection of Cryptographic Keys
The PCI compliance key management requirements for protecting cryptographic keys include:
- Restricting access to cryptographic keys to the feast possible custodians
- The strength of key-cryptographic keys should match that of data-encrypting keys)
- Separate storage of key-encrypting and data-encrypting keys
- Secure storage of keys in the fewest possible locations
A best practice for protecting cryptographic keys is to have a centralized key management system to streamline all aspects of PCI compliance key management. The guidelines in industry standards such as the NIST SP 800-57 and the ISO 11568-1 can help further optimize cryptographic key management procedures.
Use of Cryptographic Keys
The cryptographic keys generated and used for all account data encryption must also be strong enough to maximize the security of sensitive account data. To achieve robust data encryption, organizations should implement cryptographic key management policies and procedures to standardize the generation and distribution of secure cryptographic keys to relevant custodians.
Furthermore, secure PCI key management policies and procedures should account for:
- Defined cryptoperiods for each cryptographic key in use
- Established change management processes for end-of-life cryptographic keys
- Storage of keys in a Hardware Security Module (HSM)
- Protection of secret keys (i.e., they should not be discoverable in source code)
- The use of archived cryptographic keys for only decryption or verification purposes
For organizations that use manual cleartext processes for cryptographic key management, control of the keys cannot be designated to a single custodian.
Instead, the PCI compliance key management requirements mandate the use of:
- Split knowledge – Here, two or more custodians may have separate key components and:
- Each person only has knowledge of just their component and not the other components or the original cryptographic key.
- The separate key components do not provide information about the other constituent components.
- Dual control – To use a cryptographic key or initiate a key-management function, two or more people must be involved in the authentication process via the use of:
- Other types of keys
Additionally, the cryptographic keys used with manual key management processes must be generated using a secure, approved random number generator. Proper management of cryptographic keys based on the above guidelines will secure sensitive account data and help achieve robust PCI compliance key management, especially with the updated DSS v4.0.
You might also find it helpful to optimize PCI compliance key management best practices with guidance from a PCI compliance advisor.
Secure Account Data with PCI Compliance Key Management
Implementing the guidelines listed in the PCI compliance key management requirements is critical to mitigating data breaches and the loss of sensitive account data. Beyond data security, compliance with the PCI DSS will help your organization avoid hefty non-compliance penalties.
As a leading PCI compliance partner, RSI Security will help you optimize cryptographic key management to industry standards—securing account data in the short and long term. To get started, contact RSI Security today!