PCI Requirement 3.6.4 Cryptographic Key Changes at Cryptoperiod Completion

Encryption keys have a lifespan. PCI Requirement 3.6.4 states, “Cryptographic key changes for keys that have reached the end of their cryptoperiod (for example, after a defined period of time has passed and/or after a certain amount of cipher-text has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines.” Cryptoperiods are a major topic when discussing key management. So, what exactly is a cryptoperiod? A cryptoperiod is not period of time, like a month, week, or year. Rather, a cryptoperiod represents the number of transactions that a key is valid for. There are multiple factors that define a cryptoperiod. For example, key length, key strength, algorithms, exposure – all of these elements factor in. The result of these factors is the cryptoperiod. Watch this clip of Jeff Wilder explaining cryptoperiods to hear more about PCI Requirement 3.6.4. If you store, process, or transmit cardholder data, interact with payment card data in any way, or have the ability to impact someone else’s cardholder information or the security of that information, you are subject to comply with the PCI DSS. This exclusive video series, PCI Demystified, was developed to assist your organization in understanding what the Payment Card Industry Data Security Standard (PCI DSS) is, who it applies to, what the specific requirements are, and what your organizations needs to know and do to become compliant. Learn more at https://kirkpatrickprice.com/video/pci-requirement-3-6-4-cryptographic-key-changes-cryptoperiod-completion/ Video Transcription When developing these keys and put them into production, understand that the encryption keys that you’re using have a given lifespan. When we specifically look at the requirements within 3.6, it states that you must rotate the keys at the end of their defined cryptoperiod. So if you’re using encryption in your environment, your assessor should be asking what your defined cryptoperiod is. Once again, it’s not up to us as assessors to define what your cryptoperiod is, but it is up to us to determine if you’ve done your due diligence around the time period that you use your key. If I come in to assess your organization and I say, “Hey Johnny, what is your cryptoperiod?” and you say, “Well Jeff, our cryptoperiod is every year and we rotate the key then,” I might say then, “Fine, that’s great. How did you define your cryptoperiod to be a year?” If you answer, “Just because that’s what’s done,” or “That’s the way it’s always been done,” isn’t typically enough. Understand that a cryptoperiod does not necessarily define a period of length. A cryptoperiod is not a month, a week, a year, three years, six years, whatever. A cryptoperiod is typically a number of transactions that a key is good for. So as to give an example, you need to take in multiple factor. I would recommend that you do some Google-searching on defining a cryptoperiod. But effectively what we’re going is we’re taking the key strength, the key length, the encryption algorithm that we’re using, the exposure to the key – there’s multiple variables that go into defining what a cryptoperiod is. So, we kind of take all of these numbers and we crunch them and the output of that is not a month, a year – it’s a number of transactions. The output of your numbers might say, “This encryption algorithm key that we have is good for a thousand transactions,” or it might be good for one transaction, or it might be good for a million transactions. So now that we have the number of transactions that the key is good for, then we have to look at how many transactions you process in a year. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources PCI Demystified: https://kirkpatrickprice.com/pci-demystified/ Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/