Payment Cards Industry Data Security Standard (PCI-DSS) compliance protects vulnerable customers who are unaware of the complex technologies behind the scenes.
Financial institutions are obliged to comply with the regulations that enforce the protection of information for customers. All this protection is based on cryptography, which makes credit card data and users personal information unreadable in case of a security breach. The encryption keys that can unlock the data are the most important part of any cryptographic operation. These keys require strict protection and internal controls must authorize their access.
The PCI DSS has 12 requirements designed to serve as the basis for organizations to operate in an safe environment where cardholder information is not compromised. Today we will cover 3 requirements which specifically focus on the generation, distribution, and access control of cardholder data.
Requirement 3.6.1 requires organizations to generate strong encryption keys. The standard does not address exactly how to achieve this and therefore makes this a daunting task. An auditor will examine whether an organization's tools for generating its key have produced an random number that is almost impossible to estimate.
A pseudo-random number generator makes this possible. One of these is the question that an auditor wants to answer: How sure is the organization that the quality of the random numbers generated makes collisions unlikely and prevents an attacker from suspecting them?
The Federal Office for Information Security prescribes 4 characteristics for quality random numbers, with criteria 3 and 4 being the most preferred generators due to the complexity and limited probability that an attacker could guess any previous numbers in the sequence or any previous information.
In this process, the risk for an organization is in the case that they develop a routine compliance checklist and use the wrong tools to ensure compliance, and then do not realize their error until after the auditor tests to verify these properties.
Requirement 3.6.2 focuses on the secure distribution of cryptographic keys. The keys should be distributed as specified in the access list to the selected custodians, who should not be many. An auditor reviews ISO 27001 Annex A for reference values for control objectives and controls.
Section 9 requires the management of privileged access rights and formal documentation is reviewed to determine the correct management of elevated rights. Once the analysis is complete, an auditor will review to see if the keys were distributed to the correct administrators.
Security mechanisms have often been weakened by the misuse of authority by privileged users. Permanent logging of the key management system must be carried out to ensure that only authorized users have access.
HSM devices facilitate many key management problems and are highly recommended. However, organizations should look to a vendor for clarity on issues such as the ability of devices to integrate with their current systems.
To manage plans for custodians leaving the company and hire new employees, an HSM can help manage and comply with regulations as long as the right equipment is purchased. For some HSM devices, an administrator must create a group for the key custodians and manage all custodians entering and leaving that group.
Of the 12 requirements listed in the PCI DSS standards, these are the three most relevant to key generation and key distribution. To meet the standards and provide the highest level of data security, HSMs provide all the cryptographic functionality, user access, and in most cases, key management software needed for PCI DSS regulatory compliance.
Blog post by Paul Abraham