During April 2015, PCI DSS v3.1 was released as the latest iteration for industry-wide requirements and guidelines for securing cardholder data.
This blog post discusses the cryptographic key management techniques used in the banking industry to comply with PCI DSS.
The Payment Card Industry (PCI) has strict guidelines to ensure protection of card holder data. We all use credit cards and understandably want assurance that our information is safe. In response to damaging vulnerabilities such as Heartbleed, Beast and POODLE, which take advantage of security holes in the SSL protocol, version 3.1 updated requirements 2.2.3, 2.3 and 4.1 to remove SSL and early TLS as examples of strong cryptography.
PCI DSS Requirement 3, “Protect stored cardholder data.” states that cardholder data should be protected at all levels by techniques such as encryption, truncation, masking, and hashing and it places strong emphasis on key management. Requirement 3.6 enforces the documentation of all key-management processes and procedures for cryptographic keys used for encryption of cardholder data, key storage, key distribution etc.
Banks are required to comply with PCI DSS as well as to have their compliance validated by means of an audit. In the event of a security breach, any compromised entity which was not PCI DSS compliant at the time of breach will be subject to additional card scheme penalties. The PCI DSS and PA-DSS define strong cryptography as “Cryptography based on industry-tested and accepted algorithms, along with strong key lengths and proper key-management practices.”
The best way to comply is to identify all systems including servers, laptops, databases, etc. that include cardholder data and to encrypt any information available. Any system that is related to cardholder data eventually becomes a part of PCI DSS scope and compliance validation. Key management plays a vital role in implementing encryption for compliance purposes. Strict restrictions on the access to keys used for decrypting the cipher text should be in place to ensure the effectiveness of encryption. By limiting the key backup location, not only can we restore the key easily in time of need, we can also put a limit to the number of individuals who can acquire and restore the keys.
Keys should be securely pushed to any key distribution target as and when required. PCI DSS requires entities to use ‘Strong Cryptography’ which means the usage of weak algorithms such as MD5 is discouraged. Hashing is the suitable method of protecting and storing payment card numbers. The PCI DSS references the NIST key management procedures. It also emphasizes on documentation of policies, standards and procedures for securely sharing cryptographic keys used by the organization.
The Cryptomathic Crypto Service Gateway (CSG) provides a high performance crypto platform to build new PCI-compliant processing systems or to adapt legacy systems for PCI compliance. CSG is flexible through supporting a variety of high-level data protection services that are easy to use and enable application developers to efficiently work with sensitive customer data while retaining it in a processable format.
References and further reading