Earlier this month, the Payment Card Industry (PCI) Security Standards Council released PCI DSS 3.0, the latest iteration of industry-wide requirements and guidelines for securing cardholder data. Scheduled to take effect on January 1, 2014, PCI DSS 3.0 is a sweeping attempt to “move organizations from mere compliance to more comprehensive security approaches built on shared responsibility,” according to Infosecurity Magazine. So what does that mean for the enterprise?
For one thing, it means a clearer, stronger focus on encryption key management.
Let’s take a look at PCI DSS 3.0 Requirement 3, “Protect stored cardholder data.” The Requirement 3 summary names encryption, truncation, masking, and hashing as “critical components of cardholder data protection” and places strong emphasis on key management: “If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person.”
And Requirement 3.5, newly clarified, hammers that home by specifying that companies “document and implement procedures to protect [encryption] keys used to secure stored cardholder data against disclosure and misuse.” This is important, the guidelines, note, because anyone with access to the keys can decrypt protected data. The guidelines further specify that keys used to decrypt encryption keys must be protected as strongly as the encryption keys themselves.
To protect keys, Requirement 3.5 stipulates several specific protective actions, among them:
- 3.5.1: “Restrict access to cryptographic keys to the fewest number of custodians necessary”
- 3.5.3: “Store cryptographic keys in the fewest possible locations”
Requirement 3.6, meanwhile, mandates that enterprises not only perform the following actions, but document them:
- 3.6.2: “Secure cryptographic key distribution,” meaning, as the guidelines explain, that “the encryption solution must distribute keys securely…only to custodians identified in 3.5.1, and are never distributed in the clear.”
- 3.6.3: “Secure cryptographic key storage,” typically by encrypting the keys themselves.
- 3.6.4: Follow industry best practices and guidelines for “cryptographic key changes for keys that have reached the end of their cryptoperiod,” which is vital, the guidelines state, to “minimize the risk of someone’s obtaining the encryption keys, and using them to decrypt data.”
- 3.6.5: Retire or replace keys that have reached the end of their usefulness or “when the integrity of the key has been weakened,” perhaps by termination of an employee “with knowledge of a clear-text key component” or upon suspicion that the key has been compromised.
- 3.6.8: Obtain formal acknowledgement from key custodians “that they understand and accept their key-custodian responsibilities.”
As we can see, it’s all about control. Enterprises must take control of their encryption keys before they can take control of their data protection and compliance. This is a position that CipherCloud has long maintained. Our cloud information protection gateway gives customers exclusive access to their encryption keys, no matter what cloud services they use. We are happy that the PCI clearly shares our view.
Compliance with PCI DSS standards has never been an easy undertaking for large enterprises with a lot of data and a lot at stake, and “more work will be required” on the part of businesses to remain compliant, as Sean Michael Kerner pointed out on eWeek. With a cloud information protection solution built specifically to put key management under enterprises’ control, however, compliance will be much simpler than it would be without.