WithPCI Logo
WithPCI.com

3.6.1.2 Secret and private keys used to protect stored account data

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

3.6.1.2 Secret and private keys used to protect stored account data are stored in one (or more) of the following forms at all times:

  • Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data-encrypting key.
  • Within a secure cryptographic device (SCD), such as a hardware security module (HSM) or PTS-approved point-of-interaction device.
  • As at least two full-length key components or key shares, in accordance with an industry-accepted method.

Customized Approach Objective

Secret and private keys are stored in a secure form that prevents unauthorized retrieval or access.

Applicability Notes

It is not required that public keys be stored in one of these forms.

Cryptographic keys stored as part of a key management system (KMS) that employs SCDs are acceptable.

A cryptographic key that is split into two parts does not meet this requirement. Secret or private keys stored as key components or key shares must be generated via one of the following:

  • Using an approved random number generator and within an SCD,

OR

  • According to ISO 19592 or equivalent industry standard for generation of secret key shares.

Defined Approach Testing Procedures

3.6.1.2.a Examine documented procedures to verify it is defined that cryptographic keys used to encrypt/decrypt stored account data must exist only in one (or more) of the forms specified in this requirement.

3.6.1.2.b Examine system configurations and key storage locations to verify that cryptographic keys used to encrypt/decrypt stored account data exist in one (or more) of the forms specified in this requirement.

3.6.1.2.c Wherever key-encrypting keys are used, examine system configurations and key storage locations to verify:

  • Key-encrypting keys are at least as strong as the data-encrypting keys they protect.
  • Key-encrypting keys are stored separately from data-encrypting keys.

Purpose

Storing cryptographic keys securely prevents unauthorized or unnecessary access that could result in the exposure of stored account data. Storing keys separately means they are stored such that if the location of one key is compromised, the second key is not also compromised.

Good Practice

Where data-encrypting keys are stored in an HSM, the HSM interaction channel should be protected to prevent interception of encryption or decryption operations.

purpose

Distribute cryptographic keys securely.

compliance strategies

  • Secure key exchange protocols
  • Dual control for key distribution

typical policies

  • Key Distribution Policy

common pitfalls

  • Keys sent in plaintext
  • No controls on key distribution

type

Technical/Process Control

difficulty

High

key risks

  • Key interception during distribution

recommendations

  • Use encrypted channels and dual control

Eligible SAQ

  • SAQ-D MERCHANT
  • SAQ-D SERVICE PROVIDER

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy