Payment Card Industry Data Security Standards (PCI-DSS) require you to encrypt credit card account numbers stored in your database and ensure data remains secure when transferred outside the company.
What are PCI Compliance Encryption Fundamentals?
To understand PCI DSS encryption requirements, we must first familiarize ourselves with the source of industry best practices for encryption key management. NIST is the most commonly consulted source for best practices advice. The NIST special publication SP-800-57 covers best practices for procedural key management and features to look for in key management systems.
However, understanding security best practices such as Dual Control, Segregation of Duties, and Split Information is critical. These security concepts can be explained in terms of encryption key management as follows:
- The term “dual control” refers to the fact that no single person can manage your encryption keys. Creating, installing, and specifying access controls necessitates the collaboration of at least two people.
- Separation of responsibilities means that separate people should be in charge of different areas of your data security policy. The person who generates and administers the keys should not have access to the information they safeguard. Also, the encryption keys should not be in the hands of the person who has access to the protected material.
- Split information applies to the manual generation of encryption keys or at any point where encryption keys are publicly available. In this case, more than one person must be required to generate or regenerate a key.
Below are the requirements to consider when storing and transmitting your data to meet PCI DSS encryption standards. It would be beneficial if you also ensured that your encryption keys were adequately protected:
Protect your stored data with AES Encryption
The US government and agencies have accepted the Advanced Encryption Standard (AES) as a format standard (FIPS -197) for encrypting data in databases. For PCI-DSS, HIPAA, and specific government privacy rules, AES is the preferred encryption method. The encryption methods recognized by the National Institute of Standards and Technology (NIST) ensure that your data is protected to the highest standards.
Protect your data in transit with PGP Encryption
When it comes to encryption of files that need to be transferred, PGP encryption is standard. Pretty Good Privacy (PGP) is the industry standard for secure file transfers between the world’s largest retail, financial, medical, industrial, and service firms.
Also, be aware that you may be using AES encryption when encrypting a file with PGP. Transmit sensitive files over the internet using reliable encryption technologies such as AES, SSH, SSL, and PGP. Encryption solutions work together to ensure all your sensitive data is safe even after the transmission is complete. AES protects the sensitive information you store in your organization, and PGP keeps that data safe when sent outside of your company.
Protect your encryption keys and data by keeping them separate
If you keep your encrypted data and keys in the same place, it’s like placing your house key beneath the mat. Security best practices require you to store encryption keys separately from your encrypted data and manage them with an encryption key manager.
Also, in a public cloud environment, one customer’s data is often stored together with multiple other customers. This makes the public cloud an attractive target for attackers because the potential payoff may be greater than attacking a set of organizations individually.
Strong data-level encryption should be implemented on all sensitive or potentially sensitive data stored in a public cloud. Because breaching a Cloud Provider’s security can result in unauthorized access to multiple data stores, it is recommended that encryption keys used to encrypt and decrypt sensitive data are stored and managed independently of the cloud service where the data resides.
Protecting the encryption keys you utilize is the most critical aspect of a data encryption plan. Encryption keys protect your encrypted data. Your encrypted data can be accessed if someone has access to your keys.
What Is Strong Encryption According to PCI DSS?
Strong cryptography is defined by the Payment Card Industry Data Security Standard (PCI DSS) as cryptography based on industry-tested and accepted algorithms and effective key lengths, and proper key management techniques.
Protecting keys with hardware security modules is one method of protecting data and includes both encryption (reversible) and hashing (irreversible). The following are some examples of standard algorithms and key lengths:
- AES – 128 bit or higher
- TDES/TDEA – triple length keys
- RSA – 2048 bits or higher
- ECC – 224 bit or higher
- DSA/D-H – 2048/224 bits or higher
All management access over the network must be encrypted using strong encryption, according to PCI DSS. The rationale for this requirement is that an eavesdropper could gain access to important administrative or operational information such as administrator IDs or passwords.
Regardless of the security protocol applied, PCI DSS requires only strong encryption when transmitting cardholder data between networks and additional mechanisms such as trusted certificates.
It refers to industry standards and best practices for key management such as PCI DSS, NIST SP 800-52, SP 800-57, and OWASP to achieve strong encryption. Following NIST recommendations for key management, strong cryptography must be used to perform or support the core security services listed below:
- Confidentiality – Assuring that information will not be disclosed to unauthorized users. Cryptography makes information unreadable except for those who have the authority to read the data.
- Data Integrity – Assurance is required that data will not be modified in an unauthorized way. Cryptographic mechanisms such as digital signatures can be used to detect both intentional and accidental changes.
- Authentication can provide source authentication through cryptography, integrity authentication, digital signatures, and various key agreement techniques.
- Authorization – Permission to perform special access may be supported by using a cryptographic service to provide the key to allow access.
- Non-Repudiation – When non-repudiation is required, digital signature keys and certificates are generated via cryptography based on the name of the certificate subject.
- Support Services – Additional services must support cryptographic security services such as key generation or random number generation services.
The preservation of cryptographic keying material is one of the clearly stated tasks of the services above. Private keys used to encrypt and decode cardholder data should always be stored in one or more of the following forms, according to PCI DSS requirement 3.5.3 for secure key management and key storage:
- It should be encrypted and stored separately from the data encryption key with a key encryption key that is at least as strong as the data encryption key.
- It must be stored in a secure encryption device such as a hardware security module (HSM) or a PTS-certified touchpoint device.
- An industry-accepted mechanism should be used to store at least two full-length key components or key shares.
It is not necessary to store public keys in one of the above forms.