During April 2015, PCI DSS v3.1 was released as the latest iteration for industry-wide requirements and guidelines for securing cardholder data.
This blog post discusses the cryptographic key management techniques used in the banking industry to comply with PCI DSS.
PCI DSS Updated to Address SSL Risk
The Payment Card Industry (PCI) has strict guidelines to ensure protection of card holder data. We all use credit cards and understandably want assurance that our information is safe. In response to damaging vulnerabilities such as Heartbleed, Beast and POODLE, which take advantage of security holes in the SSL protocol, version 3.1 updated requirements 2.2.3, 2.3 and 4.1 to remove SSL and early TLS as examples of strong cryptography.
Cardholder data security
PCI DSS Requirement 3, “Protect stored cardholder data.” states that cardholder data should be protected at all levels by techniques such as encryption, truncation, masking, and hashing and it places strong emphasis on key management. Requirement 3.6 enforces the documentation of all key-management processes and procedures for cryptographic keys used for encryption of cardholder data, key storage, key distribution etc.
Banks are required to comply with PCI DSS as well as to have their compliance validated by means of an audit. In the event of a security breach, any compromised entity which was not PCI DSS compliant at the time of breach will be subject to additional card scheme penalties. The PCI DSS and PA-DSS define strong cryptography as “Cryptography based on industry-tested and accepted algorithms, along with strong key lengths and proper key-management practices.”
Implementing proper key-management
The best way to comply is to identify all systems including servers, laptops, databases, etc. that include cardholder data and to encrypt any information available. Any system that is related to cardholder data eventually becomes a part of PCI DSS scope and compliance validation. Key management plays a vital role in implementing encryption for compliance purposes. Strict restrictions on the access to keys used for decrypting the cipher text should be in place to ensure the effectiveness of encryption. By limiting the key backup location, not only can we restore the key easily in time of need, we can also put a limit to the number of individuals who can acquire and restore the keys.
Keys should be securely pushed to any key distribution target as and when required. PCI DSS requires entities to use ‘Strong Cryptography’ which means the usage of weak algorithms such as MD5 is discouraged. Hashing is the suitable method of protecting and storing payment card numbers. The PCI DSS references the NIST key management procedures. It also emphasizes on documentation of policies, standards and procedures for securely sharing cryptographic keys used by the organization.
The Cryptomathic Crypto Service Gateway (CSG) provides a high performance crypto platform to build new PCI-compliant processing systems or to adapt legacy systems for PCI compliance. CSG is flexible through supporting a variety of high-level data protection services that are easy to use and enable application developers to efficiently work with sensitive customer data while retaining it in a processable format.
CSG provides multiple techniques to achieve PCI compliance
- An integrated centralized key management system ensures that no one has access to encryption keys in the clear, and that only authorized personnel will have access to metadata such as key names and key states. All audits for key management can be done centrally through a user-friendly GUI and tamper-evident audit logs to simplify proof of compliance.
- Acting as a central point of policy control, protection and auditing for use of commands that access cardholder data in order to demonstrate proper security controls on access to data.
- Providing data encryption/tokenization platform to help achieve encryption or tokenization across a system and thus de-scope large parts of the system from PCI security rules. Tokenization refers to protection of sensitive data such as PAN by replacing original data with a token of same length. CSG offers tokenization as a basic function available to any application. The tokenization process is customizable and can allow parts of the data to pass through un-changed (e.g. the last four digits of the PAN). A configurable mixture of format-preserving encryption and database storage is used to produce the token values.
- Acting as the cardholder data environment and being the sole location (or one of a limited number of locations) where cardholder data is processed in clear.
References and further reading