Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
Many organizations and information security professionals struggle with the implementation of PCI DSS Requirement 3.6.6 including a clear understanding of the value it brings.
The Requirement states:
“3.6.6 - If manual clear-text cryptographic key-management operations are used, these operations must be managed using split knowledge and dual control.”
The guidance column of the Standard provides the following explanation:
“Split knowledge and dual control of keys are used to eliminate the possibility of one person having access to the whole key. This control is applicable for manual key-management operations, or where key management is not implemented by the encryption product. Split knowledge is a method in which two or more people separately have key components, where each person knows only their own key component, and the individual key components convey no knowledge of the original cryptographic key. Dual control requires two or more people to perform a function, and no single person can access or use the authentication materials of another.”
Having more than one person take possession of the data decryption key makes sense, of course. You eliminate the threat of a single employee leaving the business with the key or worse going rogue.
So how does this fit in with the saying that a chain being as strong as its weakest link?
Let’s try to visualize in an overly simplistic way a scenario with and without an HSM in order to appreciate the difference it makes. An HSM or a Hardware Security Module is a physical computing device that safeguards and manages digital keys for strong authentication. It also provides crypto processing. HSM modules can come in the form of a plug-in card, USB key or an external device that attaches directly to a computing component. One of the key attributes of an HSM is the ability to provide tamper evidence. These include visible signs of tampering or logging and alerting. Further, it comprises of tamper resistance which makes tampering difficult without making the HSM inoperable or tamper responsiveness such as deleting keys upon tamper detection. In the Payment Card Industry specifically, HSMs may provide functions including but not limited to the key generation, encryption and verification of security elements of a payment card such as PIN, CVV and PVV to name a few.
In the above data flow diagram, we have a simple e-commerce scenario with 4 typical components. Cardholder Data (CHD) is stored in the back-end database and encrypted as follows:
Let’s ignore all the other details and just assume, we are using symmetric encryption for simplicity’s sake. The problem that Requirement 3.6.6 is trying to eliminate here, is the knowledge of the DEK by any one single person within the organization as a result of generating, transporting, backing up, inserting or just plain accessing it.
Again, keeping things simple the following diagram utilizes the same scenario, but this time including an HSM which provides the following functions in order to support the dual key control and split key management requirement:
We have a simple e-commerce scenario with 4 typical components where CHD is stored in the back-end database but this time encrypted by the HSM as follows:
So far, so good, right? Wrong! What is wrong with this picture (diagram) and how does the weakest link principle apply here?
Well, let’s start with the good news before we get to the bad.
What we’ve managed to accomplish:
Well, on the face of it this seems quite good. But have we reduced risk, and if yes by how much? In other words, let’s try to get to the bad news by asking the following 2 questions:
Well, let’s highlight a couple of important assumptions, which depict the most common implementations out there before answering these questions:
So, having made the above assumptions we can now try to answer the questions we posed:
With those questions in mind, what can we say about risk and compliance:
Here’s my take in conclusion:
Since you are still here, and you have read my opinion, what are your thoughts?
Do you agree or disagree? Did you find the information useful in any way? Were the assumptions, arguments and diagrams clear and understandable? Was the length, detail and technical depth of sufficient quality? Would you enjoy additional articles that analyze controversial, complex or challenging topics related to risk and compliance ? Let us know in the comments and hit the like and share buttons.
Column Header Text | Column Header Text | Column Header Text |
Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection. |
Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection. |
|
Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection. |
Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection. |
Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection. |
Performing a review of the media inventories at least annually |
Performing a review of the media inventories at least annually |
Performing a review of the media inventories at least annually |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
Row Header Text |
Lorem ipsum dolor sit |
Lorem ipsum dolor sit |
23 |
I am the COO and Director of Professional Services at Advantio.
I have been at the forefront of the Payment Card Industry starting with PCI DSS version 1.0 in 2005. Since then I have executed hundreds of assessments, delivered numerous trainings and have been a keynote speaker at industry events across Europe, the Middle East, Asia, North America and Africa empowering organizations to defend themselves against modern-day cyberattacks.
Certifications: CISSP / CISA / PCI-QSA
Comments