[PCI-DSS] 3.5 Protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse:
3.5 Verify processes to protect keys used for encryption of cardholder data against disclosure and misuse by performing the following:
Hi,
Our organizaiton is accessing the client systems via Citrix program neighborhood application. No local storage of card holder data is possible. But our team can view the PAN information. As far as the requirement 3.3 is concerned, this is a legitimate business requirement and appropriate approvals for the same can be obtained. Now, in this situation, as the cardhodler information can only be viewed, and it being a legitimate business requirement, can the control 3.5 be considered as “Not Applicable”? If not, then I would appreciate if you could let me know the reason.
Thanks in anticipation!
Secure storage of key-encrypting keys
We want internal employees and external customers to be able to supply new credit card details at any time to the application server for storage. The application server must store PANs securely so it needs to know how to encrypt the data at all times.
I suggest that the application server use asymmetric encryption for the PANs, such as RSA. This way the application can know the data-encrypting public keys at all times, but the data-decrypting private keys can be encrypted by a symmetric key-encrypting key using AES.
When an employee wants to charge a credit card or start the monthly batch processing, the employee can supply the symmetric key-encrypting key to the application server by an HTTP POST form through SSL. The application server can then decrypt the data-decrypting private key and charge the appropriate credit cards. The application server will never store the plaintext private key or the key-encrypting key outside of RAM.
PCI-DSS v2.0 section 3.5 says the key-encrypting key has to be stored on something like a hardware security module (HSM) or tamper-evident storage with dual control and split knowledge. Are two employees required every time the application needs to charge a credit card? That doesn’t sound very practical. Can the application server cache the key-encrypting key in RAM the whole time it is up and running? What is an example of tamper-evident storage with dual control and split knowledge? How are other people handling this?