EMV chips on payment cards contain cryptographic co-processors and dual interfaces that allow for contact and contactless payment options. When issuing an EMV card, the customer’s information is extracted from the bank or financial institution’s database.
The customer's information is then fed into a data preparation system where additional data is used to securely encrypt the customer’s information. This data includes digital certificates and cryptographic keys. The final step is the personalization process where this data is written to the EMV chip on the payment card.
With card issuers adopting EMV technology, all the added cryptographic material that offers stronger protection for EMV cards and payments systems needs to be managed securely, by means of strong cryptography and secure key management, in compliance to PCI DSS requirements.
In short, the Payment Card Industry Data Security Standard (PCI DSS), refers to strong cryptography as cryptography that is based on industry-tested and accepted algorithms, along with effective key lengths/strengths and proper key management practices, e.g. protecting keys with hardware security modules. It “is a method to protect data and includes both encryption (which is reversible) and hashing (which is not reversible).” Examples of such standard algorithms and key lengths include:
As of April 2016 with the release of PCI DSS Version 3.2, it is required that all administrative access via network must be encrypted using strong cryptography. The reason behind this requirement is that sensitive administrative or operational level information, such as administrator IDs or passwords could be revealed to an eavesdropper. With respect to the transmission of data across open, public networks, PCI DSS warns of known vulnerabilities in SSL, SSH and early TLS, but still allows it in some parts of the EMV process until June 30, 2018.
PCI DSS gives the general advice, regardless of the applied security protocol, to use only strong cryptography during transmission of cardholder data across networks and to use, in addition, mechanisms like trusted certificates.
To achieve strong cryptography, the PCI DSS v3.2 refers to industry standards and best practices for key management, such as NIST SP 800-52, SP 800-57 and OWASP. Following the NIST recommendations for key management, strong cryptography is used to perform or support the fundamental security services listed below:
One of the explicitly stated tasks of the above services is the protection of cryptographic keying material. For secure key management and key storage, PCI DSS recommends, in section 3.5.3, to store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times:
Note: It is not required that public keys be stored in one of these forms.
With many applications, there is a desire for a combination of security services to be performed. When designing a secure system, developers consider what security services are required to protect the information that is stored and processed by the system. Once these services have been determined, mechanisms are chosen that will best accomplish these services. While not all mechanisms are cryptographic, such as biometric identification devices, cryptographic mechanisms that utilize algorithms, keys and additional keying material normally provide the most cost-effective way to protect information; especially with data that is in danger of exposure to unauthorized entities.
To solve this problem, Cryptomathic offers complete cryptographic infrastructure solutions for businesses to take central control of all cryptography, key management and security policies for a variety of applications that require strong cryptography. Centralized and automated key and crypto management solutions make it much easier to deploy, maintain and update strong cryptography while simplifying the security audits and proof of compliance to security requirements, such as PCI DSS.
1. Selected articles on Key Management (2012-today) by Ashiq JA, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Martin Eriksen and more
2. Selected articles on PCI DSS (2012-today) by Ashiq JA, Dawn M. Turner, Guillaume Forget, James H. Reinholm, Martin Eriksen, Stefan Hansen and more
3. EMV Key Management – Explained (2015) by Cryptomathic