PCI Requirement 3.6.1 – Generation of Strong Cryptographic Keys

by Randy Bartels / July 28th, 2017

PCI Requirement 3.6.1 requires, “Generation of strong cryptographic keys.” It also requires that, “The encryption solution must generate strong keys, as defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms under “Cryptographic Key Generation.”

The intent of PCI Requirement 3.6.1, according to the PCI DSS, is to “significantly increase the level of security of encrypted cardholder data.” PCI Requirement 3.6.1 is part of the 8 sub-requirements of PCI Requirement 3.6, which is meant to build your organization’s key management program because, the PCI DSS states, “The manner in which cryptographic keys are managed is a critical part of the continued security of the encryption solution. A good key management process, whether it is manual or automated as part of the encryption product, is based on industry standards and addresses all key elements at 3.6.1 through 3.6.8.”

We recommend that you perform a risk assessment around the generation of your cryptographic keys; this way, you can see if your keys become weakened or hold up. Industry standards, like NIST, should be used when determining how to manage and generate keys.

“If you’re using encryption within your environment, you need to use strong encryption. What this effectively means is that you need to generate strong keys. Once again, you need to be using an industry best practice for this. One of the things that I would recommend that you do as part of your risk management program, just like the annual risk assessment that you’re required to do, is that you perform somewhat of a risk assessment around the generation of your keys.

If during the period of time, your encryption keys become deprecated or weakened because of some change to the industry, you must have a process for generating a new key. We’ll be talking about that in a subsequent video. Specific to PCI Requirement 3.6.1, you have to have a process in place where you’re actually generating strong keys. IF you have an HSM, that’s kind of inherent in using the HSM itself. If you have a clear text process where you’re managing or developing these keys, it needs to be done securely. I would recommend that you look at industry best practices like NIST 800-57 for that information. “