Cryptography and Key Management in PCI PIN and P2PE Standards (I20c)
Cryptography and key management are the important techniques used in PCI (Payment Card Industry) standards family including but not limited to PCI DSS (Data security standard), PIN security, P2PE (Point to Point Encryption), PTS (PIN Transaction Security), and they are foundation for information security for meeting the requirements related to data protection defined in these standards. This presentation introduces a set of security requirements and implementation proposals on cryptographic systems to address the risks related to PCI PIN and PCI P2PE standards. PCI PIN security standard contains a complete set of requirements for the secure management, processing, and transmission of personal identification number (PIN) data during online and offline payment card transaction processing at ATMs and attended and unattended point-of-sale (POS) terminals. The following topics will be covered: – The data flow for PIN transaction – The typical key loading and injection process for a SCD (secure cryptographic device), e.g. ATM – Split knowledge and dual control (m-of-n scheme) – Chain of custody and key management lifecycle – Key blocks requirements for encrypted symmetric keys – HSM usage and management PCI P2PE standard is to facilitate the development, approval, and deployment of PCI approved P2PE solutions that will increase the protection of account data by encrypting that data from the point of interaction within the encryption environment where account data is captured through to the point of decrypting that data inside the decryption environment, effectively removing clear-text account data between these two points. An example of P2PE implementation and how to encrypt data by using PCI POI will be introduced. The common requirements between PCI PIN and P2PE will be analyzed, including but not limited to device management, key injection facility, key management and strong cryptography, physical security. Both standards require that SCDs should be FIPS 140 validated at level 3 or PCI PTS certified. In addition, the “Minimum and Equivalent Key Sizes and Strengths for Approved Algorithms” defined in the Annex of both standards are exactly same. During the paper, we will also emphasize the requirements that encrypted symmetric keys must be managed in key blocks, and the effective dates defined in the PCI standards for the implementation for external connections (1 June 2021) and all merchant hosts, POS devices and ATMs (1 June 2023). The challenges and proposed suggestion on this will be discussed. Testing that cryptographic algorithms are implemented correctly is a pre-requisite for FIPS 140-2 and FIPS 140-3 cryptographic module testing, NIAP Common Criteria evaluations. It is suggested for entities involved into PCI industry to perform the testing for cryptographic algorithms (e.g. AES), and utilize the automated Cryptographic Validation Protocol (ACVP) proposed by NIST. It can further make sure the correction of implementation on cryptographic algorithms especially their own development, and make the testing more effective. A proposed suggestion on how to combine the same and/or similar requirements defined in different PCI standards will be discussed. The combined requirements could be generated into a separate package (similar to the concept defined in common criteria), and the package can be re-used by different standards. In this way, each standard content can be shorter and it would be easy to maintain different packages rather than update whole standard documents every time. Typical examples for the packages includes key management, key size and strengths for approved algorithms, physical security (with pre-defined levels), SCD managements, etc.