On April 2015, PCI DSS v3.1 was released as the latest iteration for industry-wide requirements and guidelines for securing cardholder data.
This blog post discusses the cryptographic key management techniques that banks use to meet PCI DSS requirements.
PCI DSS Updated to Address SSL Risk
The Payment Card Industry (PCI) has strict guidelines to ensure the protection of cardholder data. We all use credit cards and understandably want assurance that our information is safe. In response to damaging vulnerabilities such as Heartbleed, Beast and POODLE, which take advantage of security holes in the SSL protocol, version 3.1 updated requirements 2.2.3, 2.3 and 4.1 to remove SSL and early TLS as examples of strong cryptography.
Cardholder data security
PCI DSS Requirement 3, “Protect stored cardholder data.” states that cardholder data should be protected at all levels by techniques such as encryption, truncation, masking, and hashing, and it places a strong emphasis on key management. Requirement 3.6 enforces the documentation of all key-management processes and procedures for cryptographic keys used for the encryption of cardholder data, key storage, key distribution, etc.
Banks are required to comply with PCI DSS as well as to have their compliance validated by means of an audit. In the event of a security breach, any compromised entity which was not PCI DSS compliant at the time of the breach will be subject to additional card scheme penalties. The PCI DSS and PA-DSS define strong cryptography as “Cryptography based on industry-tested and accepted algorithms, along with strong key lengths and proper key-management practices.”
Implementing proper key-management
The best way to comply is to identify all systems, including servers, laptops, databases, etc., that include cardholder data and encrypt any available information. Any system that is related to cardholder data eventually becomes a part of PCI DSS scope and compliance validation. Key management is a crucial aspect of implementing encryption for compliance reasons. Strict restrictions on the access to keys used for decrypting the cipher text should be in place to ensure the effectiveness of encryption. By limiting the key backup location, not only can we restore the key easily if necessary, but we can also limit the number of individuals who can acquire and restore the keys.
Keys should be securely pushed to any key distribution target as and when required. PCI DSS requires entities to use ‘Strong Cryptography’, which means using weak algorithms such as MD5 is discouraged. Hashing is a suitable method of protecting and storing payment card numbers. The PCI DSS references the NIST key management procedures. It also emphasizes on documentation of policies, standards, and procedures for securely sharing cryptographic keys.
The solution for simplifying the PCI audits
The Cryptomathic Crypto Service Gateway (CSG) provides a high-performance cryptography platform to develop new PCI-compliant processing systems or to adapt legacy systems for PCI compliance. CSG is adaptable by supporting a variety of high-level data protection services that are easy to use and enable application developers to efficiently work with sensitive customer data while retaining it in a processable format.
CSG provides multiple techniques to achieve PCI compliance
- An integrated centralized key management system ensures that no one has access to encryption keys in the clear and that only authorized employees will have access to metadata such as key names and key states. All key management audits can be done centrally through a user-friendly GUI and tamper-evident audit logs to simplify proof of compliance.
- Acting as a central point of policy control, protection, and auditing for commands that access cardholder data - to demonstrate adequate data access security controls.
- Providing data encryption/tokenization platform to help achieve encryption or tokenization across a system and thus de-scope large parts of the system from PCI security rules. Tokenization refers to the protection of sensitive data such as a PAN by replacing original data with a token of the same length. CSG provides tokenization as a standard feature accessible to all applications. The tokenization process is customizable and can permit certain data segments to pass through unchanged (e.g. the last four digits of the PAN). A configurable mixture of format-preserving encryption and database storage is used to produce the token values.
- Acting as the cardholder data environment and being the sole location (or one of a limited number of locations) where cardholder data is processed in clear.
References and further reading