Blog | Townsend Security

PCI DSS 2.0 and Encryption Key Management - As the Dust Settles

Written by Patrick Townsend | Aug 2, 2011 3:39:00 PM

DOWNLOAD WHITE PAPER

Download our Encryption Key Management and PCI DSS 2.0 Compliance Matrix white paper and learn more about ensuring the data you are protecting meets PCI compliance.

Click Here to Download Now

We are now past the half-way mark between PCI DSS version 1.2 and PCI DSS version 2. During this year of 2011 merchants have the option of qualifying under either version of the data security standard. Starting on January 1 of 2012, the only option will be to meet the version 2 standard. So, what trends have we observed?

Level 1 merchants are doing pretty well meeting the data security requirements because they’ve been through several cycles of on-site QSA audits. With the basic security controls in place, they are focusing on implementing better real-time monitoring and learning to react quickly to new threats. We still see breaches among large retailers because the bad guys are getting better, but the larger merchants have really stepped up their game.

The picture is not so bright with Level 2 and Level 3 merchants. Level 2 merchants now have to undergo an on-site QSA audit, or do annual training with a PCI SSC certified trainer. This is having a big impact on a lot of these merchants whose security controls were not up to par. They are having to deploy better monitoring systems, and meet industry best practices for encryption and key management. And key management is turning out to be a problem area from many of these mid-tier merchants.

What are the key management problems that I am hearing about? Here are some examples:
  • A retailer with an eCommerce web site running on a Windows platform is encrypting data in a SQL Server database, but the key is stored on another server in the clear. A QSA auditor required that the merchant deploy better key management practices.
  • A large manufacturer runs a user group and collects membership fees from a web site which are then processed on an IBM System i (AS/400) platform. The encryption keys were stored in encrypted format on the same server. A QSA auditor at their payment processor required that they institute better key management practices by storing the keys in an HSM on a physically separate server.
  • A division of a large home improvement retail chain accepted customer orders from a web site, and processed the authorization transactions on a Linux server. The encryption keys were stored on a removable storage device. The payment processor rejected their self-assessment questionnaire on the basis of key management practices. The division migrated to the corporate key management solution to mitigate the issue.
  • A software vendor who provides web hotel reservation portals uses both a Windows application and a Linux application to process reservation requests and payments. PCI standards require that credit card numbers be encrypted as data moves through both server environments. This software developer had good advice and chose a defensible key management strategy from the start.

I think you get the idea. Starting with a good key management solution is going to save you some grief later. We helped each of these companies meet PCI DSS compliance for key management, and in most cases it really didn’t take that much time or effort. But better to get it right from the start!

To learn more, download our white paper on encryption key management requirements for PCI.