PCI Requirement 3.7 – Security Policies & Operational Procedures

by Randy Bartels / December 22, 2022

PCI Requirement 3 states, “Protect stored cardholder data.” We’ve discussed encryption, truncation, masking, and hashing – all methods that can be used to protect cardholder data. We’ve talked about dual control, split knowledge, rendering data unreadable, key-custodians, PAN, sensitive authentication data – all elements that need to be understood in order to fully protect and store cardholder data. But it’s not enough just to learn and talk about these things;…

business people walking

PCI Requirement 3.6.8 – Key-Custodian Responsibilities

by Randy Bartels / December 22, 2022

Someone in your organization needs to be responsible for managing the encryption of your environment and accept the importance of this role. This is why PCI Requirement 3.6.8 states, “Requirement for cryptographic key custodians to formally acknowledge that they understand and accept their key-custodian responsibilities.” Key custodians are one of the most important jobs within your organization. They’re responsible for creating encryption keys, altering keys, recovering keys, rotating keys, distributing…

PCI Requirement 3.6.7 – Prevention of Unauthorized Substitution of Cryptographic Keys

by Randy Bartels / December 22, 2022

Your organization must have the appropriate controls in place to prevent unauthorized key substitution. PCI Requirement 3.6.7 requires, “Prevention of unauthorized substitution of cryptographic keys.” If your organization does not have policies, procedures, and standards documenting how your encryption solution does not accept substitution keys from unauthorized sources, you are giving malicious individuals an opportunity to decrypt your data. Assessors will examine your procedures to ensure that they outline a…

PCI Requirement 3.6.6 – Using Split Knowledge & Dual Control

by Randy Bartels / December 22, 2022

PCI Requirement 3.6.6 is one requirement that both assessors and clients struggle to understand. PCI Requirement 3.6.6 states, “If manual clear-text cryptographic key-management operations are used, these operations must be managed using split knowledge and dual control.” What is split knowledge? The PCI DSS explains split knowledge as, “Split knowledge is a method in which two or more people separately have key components, where each person knows only their own…

PCI Requirement 3.6.5 – Replacing Weakened Keys

by Randy Bartels / December 19, 2022

PCI Requirement 3.6.5 requires, “Retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear-text key component), or keys are suspected of being compromised.” The PCI DSS states, “Keys that are no longer used or needed, or keys that are known or suspected to be compromised, should…