PCI Requirement 3.6.7 – Prevention of Unauthorized Substitution of Cryptographic Keys

by Randy Bartels / December 22, 2022

Your organization must have the appropriate controls in place to prevent unauthorized key substitution. PCI Requirement 3.6.7 requires, “Prevention of unauthorized substitution of cryptographic keys.” If your organization does not have policies, procedures, and standards documenting how your encryption solution does not accept substitution keys from unauthorized sources, you are giving malicious individuals an opportunity to decrypt your data. Assessors will examine your procedures to ensure that they outline a…

PCI Requirement 3.6.6 – Using Split Knowledge & Dual Control

by Randy Bartels / December 22, 2022

PCI Requirement 3.6.6 is one requirement that both assessors and clients struggle to understand. PCI Requirement 3.6.6 states, “If manual clear-text cryptographic key-management operations are used, these operations must be managed using split knowledge and dual control.” What is split knowledge? The PCI DSS explains split knowledge as, “Split knowledge is a method in which two or more people separately have key components, where each person knows only their own…

PCI Requirement 3.6.5 – Replacing Weakened Keys

by Randy Bartels / December 19, 2022

PCI Requirement 3.6.5 requires, “Retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear-text key component), or keys are suspected of being compromised.” The PCI DSS states, “Keys that are no longer used or needed, or keys that are known or suspected to be compromised, should…

PCI Requirement 3.6.4 – Cryptographic Key Changes at Cryptoperiod Completion

by Randy Bartels / December 22, 2022

Encryption keys have a lifespan. PCI Requirement 3.6.4 states, “Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines.” Cryptoperiods are a major topic when…

PCI Requirement 3.6.3 – Secure Cryptographic Key Storage

by Randy Bartels / December 22, 2022

If your organization is storing PCI-related data using encryption, those keys must be stored securely, as PCI Requirement 3.6.3 commands, “Secure cryptographic key storage.” If your key storage is securely stored, has the appropriate protections, and access is limited to the fewest number of people and locations as possible, you prevent your organization from being susceptible to an attack. The PCI DSS further explains, “The encryption solution must store keys…