We talk a lot here about the importance of PCI Compliance and highlight the PCI DSS goals and requirements that business owners need to understand in order to secure their data. One of the most often misunderstood provisions of the PCI DSS is that of “key management” referring to the private encryption and other code keys that protect electronically stored cardholder data.
An important maxim in computer technician parlance is, “the key is the data,” meaning that if your stored data is protected with an encrypted certificate, the private key is the primary information that need to be kept secret. This is because without the exact private decryption key, the stored data is unusable. If the private key is compromised, all data encrypted on the same certificate is at risk.
You might think it a logical assumption that the practice of managing these high value private keys to be an inherent part of basic security and a given that IT professionals realize key management’s importance. But after speaking with IT technicians in a variety of fields, not all of which are required to adhere to PCI Compliance mandates, this isn’t always the case.
An IT contractor who I’ve worked with now and again for years explains why private key management is so often mishandled or misunderstood causing severe vulnerabilities to network and data integrity. He said that many IT administrators don’t realize that managing encryption certificates includes managing the encryption keys. The PCI DSS requirements do not specifically instruct administrators to change passwords on a regular basis to maintain PCI Compliance. Reason being, it should be just understood that protection of cardholder data, which the PCI DSS mandates must be encrypted if transmitted or stored, includes the routine changing of user ID’s and passwords.
PCI DSS requirement 8.5 simply states that for PCI compliance you must: Ensure proper user authentication and password management for non-consumer users and administrators on all system components. Old passwords and unused existing passwords (never deleted) from former employees are liabilities laying in wait. It’s up to your trusted IT department to know what this means.