Key generation and distribution considerations for PCI DSS Compliance

Payment Cards Industry Data Security Standard (PCI-DSS) compliance protects vulnerable customers who are unaware of the complex technologies behind the scenes.

Financial institutions are obliged to comply with the regulations that enforce the protection of information for customers. All this protection is based on cryptography, which makes credit card data and users personal information unreadable in case of a security breach. The encryption keys that can unlock the data are the most important part of any cryptographic operation. These keys require strict protection and internal controls must authorize their access.

The PCI DSS has 12 requirements designed to serve as the basis for organizations to operate in an safe environment where cardholder information is not compromised. Today we will cover 3 requirements which specifically focus on the generation, distribution, and access control of cardholder data.

Requirement 3.6.1

Requirement 3.6.1 requires organizations to generate strong encryption keys. The standard does not address exactly how to achieve this and therefore makes this a daunting task. An auditor will examine whether an organization's tools for generating its key have produced an random number that is almost impossible to estimate.

A pseudo-random number generator makes this possible. One of these is the question that an auditor wants to answer: How sure is the organization that the quality of the random numbers generated makes collisions unlikely and prevents an attacker from suspecting them?

The Federal Office for Information Security prescribes 4 characteristics for quality random numbers, with criteria 3 and 4 being the most preferred generators due to the complexity and limited probability that an attacker could guess any previous numbers in the sequence or any previous information.

In this process, the risk for an organization is in the case that they develop a routine compliance checklist  and use the wrong tools to ensure compliance, and then do not realize their error until after the auditor tests to verify these properties.

Requirement 3.6.2

Requirement 3.6.2 focuses on the secure distribution of cryptographic keys. The keys should be distributed as specified in the access list to the selected custodians, who should not be many. An auditor reviews ISO 27001 Annex A for reference values for control objectives and controls.

Requirement 9

Section 9  requires the management of privileged access rights and formal documentation is reviewed to determine the correct management of elevated rights. Once the analysis is complete, an auditor will review to see if the keys were distributed to the correct administrators.

Security mechanisms have often been weakened by the misuse of authority by privileged users. Permanent logging of the key management system must be carried out to ensure that only authorized users have access.

HSM devices facilitate many key management problems and are highly recommended. However, organizations should look to a vendor for clarity on issues such as the ability of devices to integrate with their current systems.

To manage plans for custodians leaving the company and hire new employees, an HSM can help manage and comply with regulations as long as the right equipment is purchased.  For some HSM devices, an administrator must create a group for the key custodians and manage all custodians entering and leaving that group.

Of the 12 requirements listed in the PCI DSS standards, these are the three most relevant to key generation and key distribution. To meet the standards and provide the highest level of data security, HSMs provide all the cryptographic functionality, user access, and in most cases, key management software needed for PCI DSS regulatory compliance.

Blog post by Paul Abraham

About the author

Dawn M. Turnerは、技術的な規制と標準、および企業の運営と業界全般への関連性と影響に情熱を傾けるプロの著者です。Dawnは、ハードウェア、プログラミング、システム、およびネットワークエンジニアリングにおいて、IT業界で10年以上の経験があります。同氏の学歴には、コンピューター操作およびプログラミング修了証書、A+、MCSE、MCPを含むCompTIAとマイクロソフト認定資格、ビジネス専攻およびコンピューターサイエンスを副専攻とする準学士、ビジネスフォレンジック専攻および会計学を副専攻とする科学学士号、金融と経済学を中心としたMBAが含まれます。

To find more press releases related with below topics, click on one of the keywords:

How can we help you?

Talk to one of our specialists and find out how Utimaco can support you today.
You have selected two different types of downloads, so you need to submit different forms which you can select via the two tabs.

Your download request(s):

    By submitting below form you will receive links for your selected downloads.

    Your download request(s):

      For this type of documents, your e-mail address needs to be verified. You will receive the links for your selected downloads via e-mail after submitting below form.





      Download via e-mail