Blog

PCI Requirement 3.5.3 – Store Secret & Private Keys Used to Encrypt/Decrypt Cardholder Data

by Randy Bartels / December 22, 2022

PCI Requirement 3.5.3 requires organizations to, “Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times: Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key. Within a secure cryptographic device (such as a hardware (host) security module (HSM) or PTS-approved point-of-interaction device) As at…

PCI Requirement 3.5.2 – Restrict Access to Cryptographic Keys

by Randy Bartels / December 22, 2022

PCI Requirement 3.5.2 states, “Restrict access to cryptographic keys to the fewest number of custodians necessary.” There should be very few employees who have access to your organization’s cryptographic keys. Typically, only those deemed “key custodians” have this type of access. In order to comply with PCI Requirement 3.5.2, your organization needs to maintain strict access controls around who has access to cryptographic keys in order to prevent an unauthorized…

PCI Requirement 3.5.1 – Maintain a Documented Description of the Cryptographic Architecture

by Randy Bartels / December 22, 2022

PCI Requirement 3.5.1 is an additional requirement that only applies to service providers. It requires that your organization, “Maintain a documented description of the cryptographic architecture that includes: details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date, a description of the key usage for each key, and an inventory of any HSMs and other SCDs used for key management.”…

PCI Requirement 3.5 – Protect Keys Used to Store Cardholder Data

by Randy Bartels / December 22, 2022

If your organization is using encryption to render cardholder data unreadable, you must have a key management program in place. PCI Requirement 3.5 requires organizations to, “Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse.” PCI Requirement 3.5 applies to: “keys used to encrypt stored cardholder data, and also applies to key-encrypting keys used to protect data-encrypting keys—such key-encrypting keys must be…

PCI Requirement 3.4.1 – Use of Disk Encryption

by Randy Bartels / May 31, 2023

If your organization is going to use disk encryption as a means to render data unreadable, you need to comply with PCI Requirement 3.4.1. PCI Requirement 3.4.1 states, “If disk encryption is used (rather than file or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login…

PCI Requirement 3.5.3 – Store Secret & Private Keys Used to Encrypt/Decrypt Cardholder Data

PCI Requirement 3.5.2 – Restrict Access to Cryptographic Keys

PCI Requirement 3.5.1 – Maintain a Documented Description of the Cryptographic Architecture

PCI Requirement 3.5 – Protect Keys Used to Store Cardholder Data

PCI Requirement 3.4.1 – Use of Disk Encryption

Categories

Newsletter

Learn what you need to get started with our Audit Readiness Guide.