3 min read

Key blocks and PCI PIN requirements: FAQs

Key blocks and PCI PIN requirements: FAQs

This article proposes a few answers to a series of frequently asked questions (FAQs) about key blocks and their use with PCI.

Q: What are the requirements for key blocks imposed by the PCI standards?

A: The latest PCI PIN standards imposes the usage of key blocks for the management and exchange (between internal and external systems) of all encrypted symmetric keys. These key blocks should follow the TR-31 technical report (an ISO document that details how key blocks should look and be implemented). 

Q: Are TR-31 key blocks mandatory and imposed by PCI PIN?

A: Strictly speaking, they aren’t. Any other ‘equivalent’ method to TR-31 can be used during an interim period as long as the key block respects a minimal set of functions defined by:

“The key usage must be cryptographically bound to the key using accepted methods, such that it must be infeasible for the key to be used if the usage attributes have been altered.”

Thus, it doesn’t seem possible to use PKCS#8, for instance.

Q: Are there key block requirements in PCI-DSS?

A: No, there aren’t. PCI key block requirements are only for PCI-PIN.

New Call-to-action

Q: Does the issuer have to implement key blocks for their own issuing keys? 

A: From a strict point of view, issuers are not legally bound to implement key blocks. However, since they are often the receiving party and connected to parties who must implement key blocks, issuers will also need to implement key blocks to have their system working for interoperability purposes.

Q: What type of keys must be protected by key blocks in PCI-PIN?

A: There can be a lot of different key types involved in the processing of PINs, but the most common are :

  • ZMKs (Zone master keys);
  • KEKs (Key encryption keys);
  • BDKs (Base derivation keys);
  • TMKs (Terminal master keys);
  • PEKs (PIN encryption keys).

Q: Does PCI-PIN require key blocks to be used both for transport and for storage?

A: Yes, key blocks are also required for storage by PCI-PIN. This means that HSMs must store symmetric encrypted keys as key blocks and only ASC key blocks. Of course, this doesn’t apply to all types of keys. For example, this doesn’t apply to one-time keys, such as DUKPT.

Q: Do PCI-PIN request the use of a key protection key for the key block?

A: The key protection key (KPK) is specified in TR-31 to derive the KBEC (key block encryption key) and the KBAC (key block authentication key). If TR-31 is chosen as the implementation reference for the key blocks, using a KPK is mandatory. 

Q: What is the current timeline for the implementation of key blocks as dictated by the PCI norm?

A: The phased implementation dates are as follows (correct at time of writing):

  • Phase 1 – Implement Key Blocks for internal connections and key storage within Service Provider Environments – this would include all applications and databases connected to hardware security modules (HSM). Effective date: 1 June 2019.
  • Phase 2 – Implement Key Blocks for external connections to Associations and Networks. Effective date: 1 Jan 2023 (replaces previous effective dates of 1 June 2021 and 1 June 2023).
  • Phase 3 – Implement Key Block to extend to all merchant hosts, point-of-sale (POS) devices and ATMs. Effective date: 1 June 2025 (replaces previous effective date of 1 June 2023).

Q: What can you do to get your organization ready before the changes related to key block as dictated by PCI-PIN requirements go into effect?

A: Talk to Cryptomathic to schedule a review of your system environments.

New call-to-action

References and Further Reading