PCI DSS Standard

In response to consumer demand for improved protection of sensitive account information, the major Card Associations developed data protection programs for members, merchants, and service providers. Visa’s Cardholder Information Security Program (CISP), MasterCard’s Site Data Protection (SDP) and other programs have been aligned into the Payment Card Industry (PCI) Data Security Standard.

Encryption and key management are critical components of cardholder data protection

The PCI standard addresses specific encryption controls within the following areas:
• Encryption of stored data using strong algorithms
• Protection of encryption keys
• Encryption of cardholder data transmitted over the Internet
• Key management for secure creation, distribution and destruction of strong cryptographic keys

Integrating encryption with existing and new applications and storage technologies can raise its own challenges.  Data travels between disparate applications, ultimately touching many points across the enterprise – from point of sale, to transaction files and corporate system databases, and externally to banks and other processors.  The authorization policies for data encrypted at one location may significantly differ from the policy and security systems employed at another location where the data needs to be accessed.

Deploying a patchwork of encryption technologies and their associated key management tools creates gaps and inconsistencies where data can be exposed and protection is hard to prove.  Fragmented encryption deployments can also compound the inherent performance concerns associated with encryption.

PCI requires strong controls for keys throughout their lifecycle

The PCI specification requires that encryption keys that are generally accessible across the network must have strong controls in place to secure their delivery and storage throughout their lifecycle as they are generated, stored, retrieved, revoked, and archived.

nCipher supports PCI compliance with:

keyAuthority -- an enterprise key management solution that helps protect and manage cryptographic keys, and provides the flexibility to provision them on-demand to applications throughout the enterprise.

Hardware Security Modules - HSMs -- protects cryptographic keys and performs a variety of cryptographic functions in a highly secure tamper-resistant environment, enabling encryption to be effectively managed, well protected and deployed with confidence.

CipherTools --  a comprehensive toolkit for developers that allows new or existing applications to be upgraded to support the use of encryption and further enhanced with nCipher HSMs to deliver strong cryptographic processing for custom built and commercial, off the shelf applications.

PCI Requirement 3.6, below, is just one of many that nCipher helps you address.  For information on other PCI requirements read our whitepaper "A Guide to Key Management for PCI Compliance" or view our webinar.

PCI Requirement 3.6
“Fully document and implement all key management processes and procedures.”

This requirement lists a number of specific sub requirements associated with key management, including the following:

3.6.1 Generation of strong keys 
Whether generated locally within an HSM at the point of use or centrally in an enterprise key management system, all keys can be generated within a FIPS validated hardware environment incorporating a true random number generator.

3.6.2 Secure key distribution 
Whether key material is being transferred between HSMs or is being delivered to remote end-points by the nCipher keyAuthority key management system, all keys can be securely encrypted using hardware protected system keys.

3.6.3 Secure key storage 
Keys should only ever be stored within an HSM or stored externally after being encrypted by master keys that never leave an HSM.

3.6.4 Periodic changing of keys 
Keys managed locally within an HSM can be changed or ‘rolled’ by local administrators as required. In larger scale systems, keyAuthority supports the automated rolling of keys at any end-point.

3.6.5 Destruction of old keys 
Administrators can easily delete keys. Further, control of key usage can be strongly enforced, ensuring that if unauthorized or old copies of encrypted key material cannot be used without operator authorization.

3.6.6 Split knowledge and establishment of dual control of keys 
Use of multiple smart cards by multiple administrators can be required in order to authorize a key or set of keys. These controls can be applied locally on individual HSMs or centrally on the entire key management system.

3.6.8 Replacement of known or suspected compromised keys 
nCipher provides the capability to revoke keys and replace/renew keys. For organizations utilizing the nCipher keyAuthority centralized key management system this can be performed globally from a single management console.

3.6.9 Revocation of old or invalid keys 
nCipher provides the capability to revoke keys and replace/renew keys globally from a single management console.

For information on other PCI requirements read our whitepaper "A Guide to Key Management for PCI Compliance" or view our webinar.

Back to Solutions