3.6.6 Split knowledge and establishment of dual control of keys
3.6.7 Prevention of unauthorized substitution of keys
3.6.8 Replacement of known or suspected compromised keys
3.6.9 Revocation of old or invalid keys
3.6.10 Requirement for key custodians
While the PCI DSS give a good amount of background on the requirements, it is important and highly recommended to review additional documentation surrounding this topic. The PCI Council references the NIST Key Management publication (SP 800-57) as a guideline for managing cryptographic keys.
Encryption is often seen as a quick and dirty way to fix years of security neglect. Sometimes it is considered scary and difficult to understand. While encryption is extremely powerful, it can only protect your data when its requirements are properly defined, and its implementation is properly deployed.
If you follow that advice and ensure your technical processes align with your business processes, you will find that your encryption deployment is both effective and efficient. Hopefully this article has shown you that encryption is something to be embraced -- not to be intimidated by. ##
Ben Rothke, CISSP, QSA (email@example.com), is a Security Consultant with BT Professional Services and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill Professional Education).
David Mundhenk, CISSP, PCI-DSS & PA-DSS QSA, QPASP (firstname.lastname@example.org), is a Security Consultant with a major professional services firm.
This story, "End-to-End Encryption: The PCI Security Holy Grail" was originally published by CSO.