PCI Requirement 3.6.6 – Using Split Knowledge & Dual Control

by Randy Bartels / December 22, 2022

PCI Requirement 3.6.6 is one requirement that both assessors and clients struggle to understand. PCI Requirement 3.6.6 states, “If manual clear-text cryptographic key-management operations are used, these operations must be managed using split knowledge and dual control.” What is split knowledge? The PCI DSS explains split knowledge as, “Split knowledge is a method in which two or more people separately have key components, where each person knows only their own…

PCI Requirement 3.6.5 – Replacing Weakened Keys

by Randy Bartels / December 19, 2022

PCI Requirement 3.6.5 requires, “Retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear-text key component), or keys are suspected of being compromised.” The PCI DSS states, “Keys that are no longer used or needed, or keys that are known or suspected to be compromised, should…

PCI Requirement 3.6.4 – Cryptographic Key Changes at Cryptoperiod Completion

by Randy Bartels / December 22, 2022

Encryption keys have a lifespan. PCI Requirement 3.6.4 states, “Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines.” Cryptoperiods are a major topic when…

PCI Requirement 3.6.3 – Secure Cryptographic Key Storage

by Randy Bartels / December 22, 2022

If your organization is storing PCI-related data using encryption, those keys must be stored securely, as PCI Requirement 3.6.3 commands, “Secure cryptographic key storage.” If your key storage is securely stored, has the appropriate protections, and access is limited to the fewest number of people and locations as possible, you prevent your organization from being susceptible to an attack. The PCI DSS further explains, “The encryption solution must store keys…

PCI Requirement 3.6.2 – Secure Cryptographic Key Distribution

by Randy Bartels / December 22, 2022

PCI Requirement 3.6.2 states, “Secure cryptographic key distribution.” Whether it’s placing tamper-proof or tamper-evident packaging on trackable packages or tracking data that you’ve transmitted electronically, any method that your organization is using to transmit keys needs to be done securely. Whether it’s moving keys from generators into production state or to backup, any method that your organization us using to transmit keys needs to be done securely. To further explain…