business people walking

PCI Requirement 3.6.8 – Key-Custodian Responsibilities

by Randy Bartels / December 22, 2022

Someone in your organization needs to be responsible for managing the encryption of your environment and accept the importance of this role. This is why PCI Requirement 3.6.8 states, “Requirement for cryptographic key custodians to formally acknowledge that they understand and accept their key-custodian responsibilities.” Key custodians are one of the most important jobs within your organization. They’re responsible for creating encryption keys, altering keys, recovering keys, rotating keys, distributing…

PCI Requirement 3.6.7 – Prevention of Unauthorized Substitution of Cryptographic Keys

by Randy Bartels / December 22, 2022

Your organization must have the appropriate controls in place to prevent unauthorized key substitution. PCI Requirement 3.6.7 requires, “Prevention of unauthorized substitution of cryptographic keys.” If your organization does not have policies, procedures, and standards documenting how your encryption solution does not accept substitution keys from unauthorized sources, you are giving malicious individuals an opportunity to decrypt your data. Assessors will examine your procedures to ensure that they outline a…

PCI Requirement 3.6.6 – Using Split Knowledge & Dual Control

by Randy Bartels / December 22, 2022

PCI Requirement 3.6.6 is one requirement that both assessors and clients struggle to understand. PCI Requirement 3.6.6 states, “If manual clear-text cryptographic key-management operations are used, these operations must be managed using split knowledge and dual control.” What is split knowledge? The PCI DSS explains split knowledge as, “Split knowledge is a method in which two or more people separately have key components, where each person knows only their own…

PCI Requirement 3.6.5 – Replacing Weakened Keys

by Randy Bartels / December 19, 2022

PCI Requirement 3.6.5 requires, “Retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear-text key component), or keys are suspected of being compromised.” The PCI DSS states, “Keys that are no longer used or needed, or keys that are known or suspected to be compromised, should…

PCI Requirement 3.6.4 – Cryptographic Key Changes at Cryptoperiod Completion

by Randy Bartels / December 22, 2022

Encryption keys have a lifespan. PCI Requirement 3.6.4 states, “Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines.” Cryptoperiods are a major topic when…