PCI Requirement 3.6 – Document & Implement All Key-Management Processes & Procedures for Cryptographic Keys

by Randy Bartels / July 28th, 2017

PCI Requirement 3.6 states, “Fully document and implement all key management processes and procedures for cryptographic keys used for encryption of cardholder data.” PCI Requirement 3.6 and its sub-requirements are meant to build your organization’s key management program because, according to the PCI DSS, “The manner in which cryptographic keys are managed is a critical part of the continued security of the encryption solution. A good key management process, whether it is manual or automated as part of the encryption product, is based on industry standards and addresses all key elements in 3.6.1 through 3.6.8.” NIST is a great industry standard to base your key management program off of.

Assessors want to see that you have controls surrounding the changing of keys, which is why we will look at your environment to see how you rotate and change keys, and how you prevent unauthorized access and substitutions. The 8 sub-requirements under PCI Requirement 3.6 outline what should be included in your organization’s key management program:

• PCI Requirement 3.6.1 requires, “Generation of strong cryptographic keys.”
• PCI Requirement 3.6.2 requires, “Secure cryptographic key distribution.”
• PCI Requirement 3.6.3 requires, “Secure cryptographic key storage.”
• PCI Requirement 3.6.4 requires, “Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines (for example, NIST Special Publication 800-57).”
• PCI Requirement 3.6.5 requires, “Retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a clear-text key component), or keys are suspected of being compromised.”
• PCI Requirement 3.6.6 requires, “If manual clear-text cryptographic key-management operations are used, these operations must be managed using split knowledge and dual control.”
• PCI Requirement 3.6.7 requires, “Prevention of unauthorized substitution of cryptographic keys.”
• PCI Requirement 3.6.8 requires, “Requirement for cryptographic key custodians to formally acknowledge that they understand and accept their key custodian responsibilities.”

When we look at Requirement 3.6, there’s several sub-requirements underneath that, and we’ll be talking about those in the next set of videos. But effectively, what the PCI DSS requires is that you have a formal key management program. It’s just not enough to create these keys and use them in perpetuity. There’s numerous controls around the changing of these keys, altering them, preventing unauthorized access to them, or preventing unauthorized key substitution. There are several situations where we, as assessors, are going to want to look at your environment and see how you’ve rotated your keys – all of these things are going to be talked about in the next few videos.