May 17, 2010, 3:57 PM — At its core the PCI Data Security Standard is nothing more than a series of guidelines that constitute security best practices. But companies that institute programs to better protect cardholder data can also leverage and extend these efforts throughout their business, ensuring that other sensitive customer, employee and partner data is better protected.
Encryption is a critical element of any security strategy and is widely leveraged to protect data and, when properly managed, satisfies a growing body of regulations such as PCI DSS. Yet managing the increasing key and certificate volumes has reached a tipping point as enterprises increase their encryption deployments. Poorly managed, lost or stolen encryption keys can lead to failed audits, data breaches and system downtime.
PCI DSS and key management
The PCI standard provides specific guidelines for achieving and maintaining compliance. The 12 primary sections are broken into a number of requirements. Requirements 3.5 and 3.6 of Section 2 offer specific language that define how encryption keys are to be managed in order to achieve compliance.
Note that the standard does not distinguish or suggest priority treatment between symmetric and private key management. Both key types must be properly secured in order to be PCI DSS compliant. PCI requirement 3 mandates proper key management to protect against "both disclosure and misuse" and must be fully "documented and implemented" for all key types.
When data is protected by encrypting it with a private key and a certificate, the key becomes the data that must be protected. If the private key is not well managed and protected, the risk of data loss or theft increases dramatically. This threat becomes particularly acute when data is protected by keys that reside in a container or "keystore" (or on multiple keystores) with shared, administrative access. The keys that protect the data are often accessible to multiple administrators with no audit or access controls, and are often distributed widely and insecurely within organizations.
Private key management
Two of the 12 PCI DSS requirements apply specifically to the use and proper management of SSL certificates and the private keys they rely on to ensure protection of data in transit. Section 2 of the PCI standard mandates that cardholder data be encrypted when stored or transmitted over open networks. The data is protected as long as the decryption or private key is protected -- as the encrypted data cannot be decrypted and consumed without the key. A lost or mismanaged key can mean that companies may become locked out from their own data.