Key Management for PCI DSS

News Posted by: dymar on 05/03/2018 10:42



Avoid The Headaches Associated With Compliance

IT Security, Compliance Managers and QSA’s agree that encryption is one of the most effective technologies for achieving PCI DSS compliance. However, encryption has often been ruled out because of the difficulties in managing keys. Until now.

Thales nShield Connect simplifies the use of encryption for protecting cardholder data. It can improve data security and cut the cost of compliance. nShield Connect is scalable network-attached hardware security module capable of protecting key for 100+ connected applications, works with database encryption from Microsoft and tokenization from other leading data protection vendors.

Understanding Key Management

Although not a cardholder data protection method, key management is closely tied to the success of your data protection projects. If encryption keys aren’t secured and the control over them is sloppy, then your ability to demonstrate to an auditor that data is in fact protected will be limited.

The PCI DSS includes recognized best practices for managing keys. These requirements include:
3.5: Protect keys against misuse or disclosure
3.5.1 and 3.5.2: Restrict access to keys and store them in fewest  possible locations
3.6: Document and implement key management procedures
3.6.1 to 3.6.3: Securely generate, distribute, and store keys
3.6.4: Change keys periodically (also known as rollover)
3.6.5: Retire old or suspected compromised keys
3.6.6: Split knowledge and control of keys so that no one person can misuse them
3.6.7: Prevent subtitution of keys
3.6.8: Document key custodians agreement with policies

How can you meet these requirements?


Possibly the easiest method is to use an HSM that offloads these tasks from your applications to a specialized and certified device. The job of an HSM is to perform the activities detailed in Requirement 3.5 and 3.6 and demonstrating its use may be all that’s needed for auditors. According to Ponemon institute, 63 percent of QSAa agree that using an HSM reduces the time spent on demonstrating PCI DSS compliance.

If you’ll be using encryption or tokenization to protect cardholder data, you’ll need to live up to Requirement 3.4 to 3.6 for encryption key management. An even if you’re an old pro at encryption, demonstrating compliance can be challenging. Who really has access to keys? Access to key backups? How can you rollover keys? Using a system that is specialized in encryption key management, such as a hardware security module, can make your life, and your PCI DSS audit, much easier. In fact, research shows the majority of PCI DSS auditors recommend HSMs and find they reduce the time spent on demonstrating compliance.



Source: PCI Cardholder Data Protection for Dummies

  • Share this