Next, start thinking about the encryption architecture. Who are the important parties involved? What are the operating and trust models that you are going to use? An important and often overlooked point is application integration. Not every application you have will be able to seamlessly add or even support encryption capabilities. While encryption is much easier for newer web-based implementations, what about that POS application that runs off an AS/400? The POS vendor may be long-gone, may not have addressed PABP or PA-DSS compliance, or may not want to re-write their application. Once the architecture is detailed and developed, ensure that adequate security related testing is done prior to roll-out.
Also, ensure that encryption is part of your Disaster Recovery/Business Continuity Plan. Encryption functionality must be available 24 x 7. If your encryption appliance fails at 3:00 AM, a good BCP ensures that it does not bring down your entire merchant system and interrupt commerce. Also protection of encryption keys and encrypted data go hand in glove, and should not be overlooked when working through DR/BCP exercises.
Also, physical security is paramount. It should be noted that every vendor of network operating systems places the foundation of the network operating systems' security architecture at physical server level. If an unauthorized individual has physical control of your encryption appliance and encryption keys, that could be an utter disaster in the making.
Once you have completed those steps and your encryption program is deployed, you are still not finished. Your post-deployment plans are almost as important as your pre-deployment plans. All systems are subject to change -- and encryption is no exception. A well-designed encryption program should be able to seamlessly integrate new requirements without significant re-engineering of production systems. This includes upgrading systems to accommodate new releases, increase performance, capacity/availability requirements, hardware upgrades, and new end-user applications.
PCI DSS Key Management Requirements
PCI is superb at providing details on how to deal with KM. PCI DSS requirement 3 - Protect stored cardholder data creates the requirements. The specific encryption requirements refer to section 3.6 of the PCI DSS requirements and includes the following:
3.6.1 Generation of strong keys
3.6.2 Secure key distribution
3.6.3 Secure key storage
3.6.4 Periodic changing of keys
3.6.5 Destruction of old keys
3.6.6 Split knowledge and establishment of dual control of keys
3.6.7 Prevention of unauthorized substitution of keys