2 min read

PCI Key Block Implementation: Migration Phases & Key Management

PCI Key Block Implementation: Migration Phases & Key Management

In June 2019, the PCI Security Standards Council issued an information supplement titled PCI PIN Security Requirement 18-3 – Key Blocks, which requires that encrypted symmetric keys be managed in structures called “Key Blocks.”

As per this updated requirement, the key usage must be cryptographically bound to the key, using an accepted method, so that it is infeasible for the key to be used if its usage attributes have been altered.

PCI PIN Security Requirement 18-3 - Key Blocks outlines the implementation of the new standard in three phases:

Phase 1 – Effective 1 June 2019, key blocks for internal connections and key storage within service provider environments are to be implemented. This includes all applications and databases that are connected to hardware security modules (HSMs).

Phase 2 – Effective 24 months from implementing Phase 1, or by 1 June 2021, implementation of key blocks for external connections to associations and networks must be done.

Phase 3 – Effective 24 months from implementing Phase 2, or by 1 June 2023, implementation of key blocks to extend to all point-of-sale (POS), merchant hosts, and ATMs must be done.

What is a Key Block?

A key block is a key wrapping (encryption) mechanism that contains the encrypted key, its constraints for use, and additional data about the key.  The purpose of a key block is to protect the integrity of an encrypted key. For banking and related financial services, the key wrapping process uses AES and ANSI TR31.

PCI SSC Information Supplement Cryptographic Key Blocks provides additional information regarding the algorithms to be used for wrapping.

Do Key Blocks Need to Be Used for All Symmetric Keys?

New Call-to-actionAccording to PCI PIN Security Requirement 18-3 – Key Blocks, all PIN security-relevant symmetric keys that are exchanged or stored with another symmetric key must be protected by Key Blocks.

This includes, but is not limited to:

  • PIN-Encryption Keys (PEKs)
  • Zone Master Keys (ZMKs)
  • Key-Encipherment Keys (KEKs)
  • Terminal Master Keys (TMKs)
  • Base Derivation Keys (BDKs)

Considerations for HSMs

All previously established keys may still be used. After the implementation date, Key-Block Protection Keys (KBPKs) must be created for all connections that send keys. Existing KEKs are not required to be reissued as KBPKs. However, an existing KEK may be converted to a KBPK through mechanisms supplied by an HSM vendor.

What Are the Acceptable Methods of Implementation?

Acceptable methods for implementing PCI PIN Security Requirement 18-3 – Key Blocks’ integrity requirements include, but are not limited to:

  • A MAC-computed over the concatenation of the clear-text attributes and the enciphered portion of the Key Block, including the key itself,
  • A digital signature that is computed over that same data,
  • An integrity check that is an implicit part of the key-encryption process as used in the AES key-wrap process, according to ANSI X9.102.

How Will Compliance Be Determined?

New Call-to-action

Compliance for the various phases of Key-Block Implementation is evaluated by a PCI assessor. This is done by examining the configuration settings on HSMs and commercial applications, and through design documentation for proprietary software.

Cryptomathic’s CKMS Makes Migration Easier

The proposed phased implementation for PCI PIN Security Requirement 18-3 – Key Blocks is for a good reason: it will require much effort in migrating symmetric keys to key blocks.

Cryptomathic’s banking-grade key management system CKMS can provide assistance to migrate keys to using key blocks because it supports a range of key block formats, including:

  • Atalla Key Block
  • BASE24 Key Exchange
  • IBM CCA (versions 4.3 and 6.0)
  • MasterCard OBKM
  • PKCS#8 Cryptogram
  • TR-31 - including the specific superset supported by all Thales payShield devices

This, combined with the ultra-secure environment and unrivaled user-experience, means that migration is a completely painless process.

We will help you achieve this - either as a Professional Services engagement, as we have done on many occasions, or through our excellent help-desk support.

So, in summary, CKMS allows for an easy migration process, confident compliance, and convenient audits from a centralized location for banks and financial institutions that handle PIN transactions.


New Call-to-action


References and Further Reading