PCI Requirement 3.4.1 – Use of Disk Encryption
If your organization is going to use disk encryption as a means to render data unreadable, you need to comply with PCI Requirement 3.4.1. PCI Requirement 3.4.1 states, “If disk encryption is used (rather than file or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials). Decryption keys must not be associated with user accounts. This requirement applies in addition to all other PCI DSS encryption and key-management requirements.”
The PCI DSS states, “Full disk encryption helps to protect data in the event of physical loss of a disk and therefore may be appropriate for portable devices that store cardholder data.”
The authentication credentials used to decrypt the drive must be separate from the authentication credentials that are used to log into the operating system. The intent behind this requirement is to create a separation so that if the user’s authentication credentials are compromised, that doesn’t automatically give someone access to the data set that has been decrypted.
Using whole disk encryption makes it difficult to meet PCI Requirement 3.4, because, as Jeff Wilder explains, one you’ve booted the system and mounted the drive, there’s transparent data encryption that’s accessible to the end user. The PCI DSS explains, “Disk-level encryption encrypts the entire disk/partition on a computer and automatically decrypts the information when an authorized user requests it. Many disk-encryption solutions intercept operating system read/write operations and carry out the appropriate cryptographic transformations without any special action by the user other than supplying a password or passphrase upon system startup or at the beginning of a session. Based on these characteristics of disk-level encryption, to be compliant with this requirement, the method cannot use the same user account authenticator as the operating system, or use a decryption key that is associated with or derived from the system’s local user account database or general network login credentials.” If you’re using whole disk encryption to meet Requirement 3.4, be prepared to have a conversation with your assessor about the controls that you’re using.
“If you’re going to be using hard disk encryption as a means for meeting the 3.4 Requirement (for rendering your data unreadable) and you’re using whole disk encryption to do that, we have a requirement that the authentication credentials that you use to decrypt the drive be separate from the authentication credentials that are used to log in to your operating system. The reason for this is that if a hacker physically compromises your Windows box, for instance, those decryption keys actually reside on the physical device within the registry. Microsoft BitLocker can be configured appropriately to do this, where you have separate authentication credentials, but the point of this particular requirement is to cause a separation so if the user’s authentication credentials are compromised, that doesn’t automatically give someone access to the data set that has been decrypted. We want to make sure we have separate authentication credentials for doing that. From an assessment perspective, we’re going to talk to the staff and we’re going to look at how you’ve implemented whole disk encryption, if you’ve done so, and make sure that the authentication credentials that are subject to that are separate. As a point of conversation and understanding, it’s going to be necessary that you understand that whole disk encryption, when it mounts the drive, the cardholder data is rendered readable. As part of this test, we still have to see that the cardholder data is rendered unreadable, so using whole disk encryption kind of gets really difficult for meeting Requirement 3.4, which is rendering it unreadable, because once you’ve booted that system and mounted that drive, there’s transparent data encryption that’s used, and it’s accessible to the end user. So just be cognizant of that and if you’re using whole disk encryption to meet this requirement, be prepared to have a conversation with your assessor about the controls that you’re using in order to meet the 3.4 Requirement. “