If your organization is storing PCI-related data using encryption, those keys must be stored securely, as PCI Requirement 3.6.3 commands, “Secure cryptographic key storage.” If your key storage is securely stored, has the appropriate protections, and access is limited to the fewest number of people and locations as possible, you prevent your organization from being susceptible to an attack. The PCI DSS further explains, “The encryption solution must store keys securely, for example, by encrypting them with a key-encrypting key. Storing keys without proper protection could provide access to attackers, resulting in the decryption and exposure of cardholder data.”
You assessor should test your compliance with PCI Requirement 3.6.3 by examining your organization’s key management program and its procedures and methods to verify that they specifically outline and implement that secure storage of keys.
If you store, process, or transmit cardholder data, interact with payment card data in any way, or have the ability to impact someone else’s cardholder information or the security of that information, you are subject to comply with the PCI DSS. This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what the Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organizations needs to know and do to become compliant.
Learn more at https://kirkpatrickprice.com/video/pci-requirement-3-6-3-secure-cryptographic-key-storage/
Once again, if you’re encrypting information, whether this be PII, PHI, PCI-related data, if you have implemented encryption as a part of this methodology, we want to make sure that those keys you’re using are stored securely. We want to make sure that access has been limited to the fewest possible number of individuals. You need to have protections around them so that in the event that somebody should compromise the server, they don’t gain access to the encryption keys or the decryption keys themselves. So, your assessor is going to be working with you and asking how you’ve gone about doing that. They’re going to be looking at your documented procedures for secure key distribution and secure key storage and how that rolls out. If you have an HSM in a FIPS-compliant device, the controls that are there are pretty much established by the technology. In short, once again, where you are storing these keys, they need to be stored securely.
More Free Resources
PCI Demystified: https://kirkpatrickprice.com/pci-demystified/
White Papers: https://kirkpatrickprice.com/white-papers/
KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks.
For more about KirkpatrickPrice: https://kirkpatrickprice.com/
Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/