PCI Requirement 3.5 requires that your organization not only has a documented key management program, but that the key management program is implemented and in use. If an unauthorized individual were to gain access to your encryption/decryption keys, they will be able to decrypt your keys. To comply with PCI Requirement 3.5, your organization must have implemented documentation related to preventing unauthorized access to keys. The PCI DSS explains, “The requirement to protect keys from disclosure and misuse applies to both data-encrypting keys and key-encrypting keys. Because one key-encrypting key may grant access to many data-encrypting keys, the key-encrypting keys require strong protection measures.”
If you store, process, or transmit cardholder data, interact with payment card data in any way, or have the ability to impact someone else’s cardholder information or the security of that information, you are subject to comply with the PCI DSS. This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what the Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organizations needs to know and do to become compliant.
Learn more at [ Ссылка ]
Video Transcription
If your organization has implemented encryption as a means for rendering your cardholder data unreadable, we need to marry that with a program around managing your keys. So, we have to establish policies and procedures around that.
Looking at Requirement 3.5, it states that you have to have a program in place that’s documented to prevent unauthorized access to these keys. Understand that if someone gains access to your encryption/decryption keys, they likely have keys to your kingdom. You see a lot of the hacks that have happened in years past, these organizations had encryption enabled (or at least they thought they had decent encryption enabled), and yet hackers were still able to remove the data from that environment. If you do not understand key management, one of the documents I would recommend that you view is the NIST 800-57 (there’s 3 documents - A, B, C) and have a read of those. That’ll help you to understand what are the merits and requirements around developing a good key management program.
From an assessor’s perspective, we’re going to look at your key management program, everything that talks about your key rotation, your cryptoperiod, and the means and methods of how you protect unauthorized key substitution and everything that’s involved in that. So, we’re looking for documentation that supports that, we’re going to interview staff and make sure that those individuals that are defined as your “key custodian” understand that. We’re also going to look at the means and methods for how that’s actually implemented. Once again, whatever you’ve documented is what we expect to see in place and functioning.
Stay Connected
Twitter: [ Ссылка ]
LinkedIn: [ Ссылка ]
Facebook: [ Ссылка ]
More Free Resources
PCI Demystified: [ Ссылка ]
Blog: [ Ссылка ]
Webinars: [ Ссылка ]
Videos: [ Ссылка ]
White Papers: [ Ссылка ]
About Us
KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks.
For more about KirkpatrickPrice: [ Ссылка ]
Contact us today: 800-770-2701 [ Ссылка ]
