PCI Requirement 6.5.3 – Insecure Cryptographic Storage

by Randy Bartels / October 13th, 2017

What is Insecure Cryptographic Storage?

PCI Requirement 6.5 requires that your organization address common coding vulnerabilities in software development processes to ensure that applications are securely developed. One of the common coding vulnerabilities associated with secure application development is insecure cryptographic storage, which is outlined in PCI Requirement 6.5.3.

PCI Requirement 6.5.3 requires that your organization does not have insecure cryptographic storage. Everything that we learned in PCI Requirement 3 is coming back into play with PCI Requirement 6.5.3. We’ve talked about the requirements of a Key Management Program, but how does that fit into developing secure applications? The PCI DSS warns, “Applications that do not utilize strong cryptographic functions properly to store data are at increased risk of being compromised, and exposing authentication credentials and/or cardholder data. If an attacker is able to exploit weak cryptographic processes, they may be able to gain clear-text access to encrypted data.” As we learned in PCI Requirement 3, strong cryptography and a good Key Management Program is vital for the security of your cardholder data environment.

If your organization is storing PCI-related data using encryption, those keys must be stored securely, as PCI Requirement 3.6.3 commands, “Secure cryptographic key storage.” If your Key Management Program keeps your keys securely stored, has the appropriate protections, and access is limited to the fewest number of people and locations as possible, you can help prevent your organization from being susceptible to an attack.

When developing the application, we need to make sure that you have strong cryptography as part of the development lifecycle and management of the application. 6.5.3 talks about insecure cryptographic storage, and this goes into defining how you manage your keys. We talked about, in Requirement 3, all of the needs for developing a Key Management Program. This is one the things we look for as an assessor, your Key Management Program and how that plays out in your SDLC. It’s not really up to us to define your program. What we look for is that you have policies and procedures, your SDLC calls out how you’re managing the cryptography of the application, and making sure that you’re then adhering to those processes.