Professional Documents
Culture Documents
PCI-DSS and Crypto Key Management:: White Paper
PCI-DSS and Crypto Key Management:: White Paper
Table of Contents
1 Introduction............................................................................................................................... 3
2 PCI-Security Standards.............................................................................................................. 4
2.1 What is the PCI Security Standards Council?.......................................................................... 4
2.2 What is PCI-DSS?...................................................................................................................... 4
This document refers to the latest PCI DSS specification v3.2, published in April 2016.
www.cryptomathic.com
2
PCI-DSS and Crypto Key Management
1 Introduction
PCI-DSS is the payment industry’s standard for the protection of credit/debit cardholder data.
Encryption is the de-facto mechanism for compliant protection of sensitive data, but complexity
and risk can be increased by badly thought-out or implemented encryption schemes.
Encryption inevitably transfers the value of encrypted data to the keys that give access to this
data. A strong and robust Key Management System is needed to manage the relation between
business applications and the cryptographic keys and thus protect these vital assets.
This document provides both a high-level summary of how a Key Management System applies
to PCI-DSS and also a more detailed examination of the specific benefits a centralized and auto-
mated system, i.e. Cryptomathic’s CKMS, can bring to Section/Requirement 3 (Protect Stored
Cardholder Data) of the standard.
Exploring the PCI DSS section 3 requirements in more detail, this document demonstrates how
CKMS is the ideal key management solution for achieving compliance with PCI DSS.
3 www.cryptomathic.com
PCI-DSS and Crypto Key Management
2 PCI-Security Standards
2.1 What is the PCI Security Standards Council?
The PCI Security Standards Council (PCI SSC) is an organization founded in 2006 by American
Express, Discover, JCB International, MasterCard and Visa Inc.
It promotes Payment Card Industry standards to help protect cardholder data used in payment
systems and payment cards worldwide.
The Council develops and maintains security standards, that merchants, banks, payment proces-
sors, service providers, and technology providers must comply to.
PCI-DSS stands for Payment Card Industry - Data Security Standard. It is the main specification
that gives a framework for a robust payment card data security process.
At a high level, it includes 12 requirements and the corresponding security assessment proce-
dures listed and categorized as followed:
Domain Requirements
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data
and Systems
2. Do not use vendor-supplied defaults for system passwords and other
security parameters
Maintain a Vulnerability Management 5. Protect all systems against malware and regularly update anti-virus soft-
Program ware or programs
Implement Strong Access Control 7. Restrict access to cardholder data by business need to know
Measures
8. Identify and authenticate access to system components
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data
Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel
www.cryptomathic.com
4
PCI-DSS and Crypto Key Management
For systems that use encryption to comply with PCI-DSS there are specific sections of
Requirement 3 that defines the expected behaviour in relation to ‘key management’ processes
and procedures (see section 4).
While it’s possible to implement key management as a manual process, performed by human
beings following written procedures – these schemes typically scale badly, are vulnerable to
errors and compromise while being expensive to maintain to the required auditable level.
In contrast – centralized and automated key management systems, e.g. CKMS, are designed to
provide integrity and proof-of-behaviour (audit) to processes, reduce risks and cost, and scale
economically to the needs of a business.
CKMS is a best-in-class key management system which has been developed and designed to
meet the highest requirements of the financial industry and includes direct relevance and appli-
cability to PCI-DSS requirements.
CKMS is used by major banks, card payment schemes, card data processors and bureaus world-
wide, in order to meet the PCI-DSS requirements when dealing with credit and debit cards.
CKMS is directly applicable to the following headline requirements in PCI-DSS (Section 3):
• Two-factor authentication
• Dual control
• Split knowledge
CKMS is built on a resilient client-server architecture. The quality and protection of keys is
ensured using a FIPS 140-2 level 3 or higher HSM (Hardware Security Module), with the flexibility
to choose from a variety of vendors.
High availability is ensured through clustering of the servers, database and HSMs. Key man-
agement administration can be performed without restrictions on time or place via an intuitive
graphical user interface (GUI), supported by secure PCI compliant PIN entry devices (PEDs) and
www.cryptomathic.com
5
PCI-DSS and Crypto Key Management
ICCs for strong authentication. The PEDs also support remote key import/export and key share
printing. Keys are distributed to applications and HSMs in a wide range of formats (key-blocks).
All critical operations are recorded in a tamper-evident audit log.
Key Blocks,
HSMs PKCS#11
Servers
Cloud Apps BYOK, IIS, ADFS
The user-friendly graphical interface provided by CKMS allows security officers to easily manage
keys throughout their life-cycle from generation through rotation, retirement and deletion.
While CKMS can help efficiently comply with specific requirements inside PCI-DSS, there are
additional benefits from the adoption of a world-class key management system.
In summary, CKMS meets all the relevant PCI-DSS requirements around crypto key management
and can help with both a confident compliance to the standard and a general improvement in
the protection of these business-critical assets.
6 www.cryptomathic.com
PCI-DSS and Crypto Key Management
If an attacker circumvents all other security measures (firewall, access control…etc) and still suc-
ceeds in accessing cardholder data, then this data must be unreadable. This is best achieved by
encrypting cardholder data before storing it on files or into databases.
Encryption is the most efficient and secure solution, providing that the cryptographic keys
used for encryption are well protected, controlled and managed. For this, PCI-DSS requirement
includes explicit key management requirements.
Sections 3.5 and 3.6 of PCI-DSS v3.2 list all the detailed requirements around key management that
must be met to achieve PCI-DSS compliance in any system that uses encryption.
3.5 Document and implement procedures to protect keys used to secure stored cardholder
data against disclosure and misuse
3.6 Fully document and implement all key-management processes and procedures for cryp-
tographic keys used for encryption of cardholder data, including the following:
3.6.4 Cryptographic key changes for keys that have reached the end of their crypto-period.
3.6.6 If manual clear-text cryptographic key-management operations are used, these opera-
tions must be managed using split knowledge and dual control.
CKMS can directly be applied to ensure compliance with all these requirements.
www.cryptomathic.com
7
PCI-DSS and Crypto Key Management
The headline requirements of sections 3.5 and 3.6 refer to the need for key management in gen-
eral. Here we expand on the specific subsection requirements in the standard and explain the
role that CKMS can have in demonstrating compliance.
Manually:
Automatically:
Secure cryptographic key storage In aggregating a central store of keys, a key COMPLIANT
management system provides a treasure
3.6.3 trove of data that can have immense value CKMS stores keys, encrypted under the HSM master key,
to an attacker. The keys must be protected into a database. The key hierarchy implemented into
to a very high standard - both in terms of CKMS allows the renewal of the system keys used to
protection-from-theft and misuse. protect application keys.
8 www.cryptomathic.com
PCI-DSS and Crypto Key Management
www.cryptomathic.com
9
PCI-DSS and Crypto Key Management
Glossary
API Application Programming Interface
www.cryptomathic.com
ABOUT CRYPTOMATHIC
Cryptomathic is a global provider of secure server solutions to We pride ourselves on strong technical expertise and unique market
businesses across a wide range of industry sectors, including banking, knowledge, with 2/3 of employees working in R&D, including an
government, technology manufacturing, cloud and mobile. With over international team of security experts and a number of world renowned
30 years' experience, we provide systems for Authentication & Signing, cryptographers. At the leading edge of security provision within its key
EMV and Key Management, through best-of-breed security solutions markets, Cryptomathic closely supports its global customer base with
and services. many multinationals as longstanding clients.