= PCI DSS requirements
= Thales Solution
[3.5] Protect encryption keys used for encryption of cardholder data against both disclosure and misuse:
[3.5.1] Restrict access – Separation of duties and dual control. nShield can split and restrict access to cryptographic keys to the necessary authorized personnel using smartcard.
[3.5.2] Store in fewest possible locations – Central key management. nShield stores centrally and securely (encrypted) cryptographic keys called Security World. Key encrypting keys are stored separately from data-encrypting keys.
[3.6] Fully document and implement all key management processes and procedures for keys used for encryption of cardholder data – nShield (and also TEMS for tape backup application) provides fully secure key management procedures for keys used for encryption of cardholder data.
[3.6.1] Secure generation of keys – Generation on hardware with random number generator.
[3.6.2] Secure distribution of keys – Keys stored centrally. Key storage is secure because keys are stored encrypted by FIPS validated hardware.
[3.6.3] Secure storage of keys – Protected storage, because keys are stored encrypted by FIPS validated hardware.
[3.6.4] Periodically change keys – Automated key rotation. Key rotation is controlled through application attached with
[3.6.6] Split knowledge of keys – Administrator and operator card sets with quorum (k of n). nShield operations controlled by smartcards enabling split knowledge and establishment of cryptographic keys, also with two factor authentication. Key management critical operations protected with smartcard authentication.
[4.1] Use strong cryptography and security protocols such as secure sockets layer (SSL)/transport layer security (TLS) and internet protocol security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks – Thales Datacryptor enables usage of “strong cryptography” and security protocols but with robust performance. Datacryptor uses both strong symmetric and asymmetric encryption algorithms to protect pass through data, even the IP can be encrypted.
[4.1.1] For wireless networks transmitting cardholder data, encrypt the transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN – When through wireless, internet, GSM, and GPRS Thales nShield can improve performance and help to protect SSL keys in Web Server. Cardholder data sometimes transmitted through SSL session. Thales nShield can be used to encrypt entity of sensitive data, so even the data sent through messaging technologies, it is secured.