Blog

PCI Requirement 3.6.2 – Secure Cryptographic Key Distribution

by Randy Bartels / December 22, 2022

PCI Requirement 3.6.2 states, “Secure cryptographic key distribution.” Whether it’s placing tamper-proof or tamper-evident packaging on trackable packages or tracking data that you’ve transmitted electronically, any method that your organization is using to transmit keys needs to be done securely. Whether it’s moving keys from generators into production state or to backup, any method that your organization us using to transmit keys needs to be done securely. To further explain…

PCI Requirement 3.6.1 – Generation of Strong Cryptographic Keys

by Randy Bartels / December 22, 2022

PCI Requirement 3.6.1 requires, “Generation of strong cryptographic keys.” It also requires that, “The encryption solution must generate strong keys, as defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms under "Cryptographic Key Generation." The intent of PCI Requirement 3.6.1, according to the PCI DSS, is to “significantly increase the level of security of encrypted cardholder data.” PCI Requirement 3.6.1 is part of the 8 sub-requirements…

PCI Requirement 3.6 – Document & Implement All Key-Management Processes & Procedures for Cryptographic Keys

by Randy Bartels / December 22, 2022

PCI Requirement 3.6 states, “Fully document and implement all key management processes and procedures for cryptographic keys used for encryption of cardholder data.” PCI Requirement 3.6 and its sub-requirements are meant to build your organization’s key management program because, according to the PCI DSS, “The manner in which cryptographic keys are managed is a critical part of the continued security of the encryption solution. A good key management process, whether…

PCI Requirement 3.5.4 – Store Cryptographic Keys in the Fewest Possible Locations

by Randy Bartels / December 22, 2022

PCI Requirement 3.5.4 states, “Store cryptographic keys in the fewest possible locations.” Reducing the amount of locations where cryptographic keys are stored helps your organization to track and monitor all key locations. If you have 100 locations, your organization would have to maintain strict control over 100 locations, which could lower the quality of control and increase the chance of unauthorized exposure. Minimizing the amount of locations to places that…

PCI Requirement 3.5.3 – Store Secret & Private Keys Used to Encrypt/Decrypt Cardholder Data

by Randy Bartels / December 22, 2022

PCI Requirement 3.5.3 requires organizations to, “Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times: Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key. Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point-of-interaction device) As at…

PCI Requirement 3.6.2 – Secure Cryptographic Key Distribution

PCI Requirement 3.6.1 – Generation of Strong Cryptographic Keys

PCI Requirement 3.6 – Document & Implement All Key-Management Processes & Procedures for Cryptographic Keys

PCI Requirement 3.5.4 – Store Cryptographic Keys in the Fewest Possible Locations

PCI Requirement 3.5.3 – Store Secret & Private Keys Used to Encrypt/Decrypt Cardholder Data

Categories

Newsletter

Learn what you need to get started with our Audit Readiness Guide.