PCI Requirement 3.5 – Protect Keys Used to Store Cardholder Data

by Randy Bartels / July 28th, 2017

If your organization is using encryption to render cardholder data unreadable, you must have a key management program in place. PCI Requirement 3.5 requires organizations to, “Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse.”

PCI Requirement 3.5 applies to: “keys used to encrypt stored cardholder data, and also applies to key-encrypting keys used to protect data-encrypting keys—such key-encrypting keys must be at least as strong as the data-encrypting key.”

If an unauthorized individual were to gain access to your encryption/decryption keys, they will be able to decrypt your keys. To comply with PCI Requirement 3.5, your organization must have implemented documentation related to preventing unauthorized access to keys. The PCI DSS explains, “The requirement to protect keys from disclosure and misuse applies to both data-encrypting keys and key-encrypting keys. Because one key-encrypting key may grant access to many data-encrypting keys, the key-encrypting keys require strong protection measures.”

During the assessment, everything involved in your key management program will be examined, your staff and key custodian will be interviewed, and the implementation of documentation will be assessed. The PCI DSS also states, “Examine key-management policies and procedures to verify processes are specified to protect keys used for encryption of cardholder data against disclosure and misuse and include at least the following:

  • Access to keys is restricted to the fewest number of custodians necessary.
  • Key-encrypting keys are at least as strong as the data-encrypting keys they protect.
  • Key-encrypting keys are stored separately from data-encrypting keys.
  • Keys are stored securely.”

For other resources regarding key management, we recommend viewing the NIST 800-57 document and our webinar on best practices for encryption and key management.

“If your organization is a service provider, Requirement 3.5.1 has an additional set of documented procedures for you. This really requires that you do a little bit of extra diligence around documenting the keys that you use, documenting if you’re using an HSM, documenting what those might look like, who you might share keys with – there’s a great deal of information that you’re asked to keep in addition to just the normal documentation. So, have a look at Requirement 3.5.1, specific to you as service provider. If you have any questions, spend some time with your assessor or QSA. I’m sure they’ll be happy to work you with you to identify what complying with this requirement might look like. “