PCI Requirement 3.6.1 requires, “Generation of strong cryptographic keys.” It also requires that, “The encryption solution must generate strong keys, as defined in the PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms under ""Cryptographic Key Generation.""
The intent of PCI Requirement 3.6.1, according to the PCI DSS, is to “significantly increases the level of security of encrypted cardholder data.” PCI Requirement 3.6.1 is part of the 8 sub-requirements of PCI Requirement 3.6, which is meant to build your organization’s key management program because, the PCI DSS states, “The manner in which cryptographic keys are managed is a critical part of the continued security of the encryption solution. A good key management process, whether it is manual or automated as part of the encryption product, is based on industry standards and addresses all key elements at 3.6.1 through 3.6.8.”
We recommend that you perform a risk assessment around the generation of your cryptographic keys; this way, you can see if your keys become weakened or hold up. Industry standards, like NIST, should be used when determining how to manage and generate keys.
If you store, process, or transmit cardholder data, interact with payment card data in any way, or have the ability to impact someone else’s cardholder information or the security of that information, you are subject to comply with the PCI DSS. This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what the Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organizations needs to know and do to become compliant.
Learn more at https://kirkpatrickprice.com/video/pci-requirement-3-6-1-generation-strong-cryptographic-keys/
If you’re using encryption within your environment, you need to use strong encryption. What this effectively means is that you need to generate strong keys. Once again, you need to be using an industry best practice for this. One of the things that I would recommend that you do as part of your risk management program, just like the annual risk assessment that you’re required to do, is that you perform somewhat of a risk assessment around the generation of your keys. If during the period of time, your encryption keys become deprecated or weakened because of some change to the industry, you must have a process for generating a new key. We’ll be talking about that in a subsequent video.
Specific to PCI Requirement 3.6.1, you have to have a process in place where you’re actually generating strong keys. IF you have an HSM, that’s kind of inherent in using the HSM itself. If you have a clear text process where you’re managing or developing these keys, it needs to be done securely. I would recommend that you look at industry best practices like NIST 800-57 for that information.
More Free Resources
PCI Demystified: https://kirkpatrickprice.com/pci-demystified/
White Papers: https://kirkpatrickprice.com/white-papers/
KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks.
For more about KirkpatrickPrice: https://kirkpatrickprice.com/
Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/