PCI DSS and key managementThe PCI standard provides specific guidelines for achieving and maintaining compliance. The 12 primary sections are broken into a number of requirements. Requirements 3.5 and 3.6 of Section 2 offer specific language that define how encryption keys are to be managed in order to achieve compliance.
Note that the standard does not distinguish or suggest priority treatment between symmetric and private key management. Both key types must be properly secured in order to be PCI DSS compliant. PCI requirement 3 mandates proper key management to protect against "both disclosure and misuse" and must be fully "documented and implemented" for all key types.
When data is protected by encrypting it with a private key and a certificate, the key becomes the data that must be protected. If the private key is not well managed and protected, the risk of data loss or theft increases dramatically. This threat becomes particularly acute when data is protected by keys that reside in a container or "keystore" (or on multiple keystores) with shared, administrative access. The keys that protect the data are often accessible to multiple administrators with no audit or access controls, and are often distributed widely and insecurely within organizations.
The link for this article located at IT World is no longer available.