PCI 3:: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
(3 intermediate revisions by the same user not shown) | |||
Line 30: | Line 30: | ||
:::* Truncation | :::* Truncation | ||
:::* Index tokens and PADs, with the PADs being securely stored | :::* Index tokens and PADs, with the PADs being securely stored | ||
:::* Strong cryptography, such as Triple-DES 128-bit or AES 256-bit with associated key management processes and procedures. | :::* Strong cryptography, such as Triple-DES 128-bit or [[AES | Advanced Encryption Standard]] (AES) 256-bit with associated key management processes and procedures. | ||
<br> | <br> | ||
::* '''The MINIMUM account information that needs to be rendered unreadable is the payment card account number.''' | :::* '''The MINIMUM account information that needs to be rendered unreadable is the payment card account number.''' | ||
<br> | <br> | ||
---- | ---- | ||
Line 45: | Line 45: | ||
<br> | <br> | ||
:'''PCI-3.6 Fully document and implement all key management processes and procedures, including:'''<br> | :'''PCI-3.6 Fully document and implement all key management processes and procedures, including:'''<br> | ||
<br> | |||
::* Verify the existence of key management procedures. | |||
<br> | |||
::'''For Service Providers only:''' | |||
<br> | |||
::If the Service Provider shares keys with their customers for transmission of cardholder data, verify that the Service Provider provides documentation to customers that includes guidance on how to securely store and change customer’s encryption keys (used to transmit data between customer and service provider).<br> | |||
<br> | |||
::Examine the key management procedures and determine the procedures require the following:<br> | |||
<br> | <br> | ||
::[[Image:Key-control.jpg]][[PCI-3.6.1:|PCI-3.6.1 Generation of strong keys.]]<br> | ::[[Image:Key-control.jpg]][[PCI-3.6.1:|PCI-3.6.1 Generation of strong keys.]]<br> |
Latest revision as of 11:52, 28 March 2008
Requirement 3: Protect stored data.
- Note that this does not apply to those employees and other parties with a specific need to see full credit card numbers.
- PCI-3.2 Do not store sensitive authentication data subsequent to authorization (not even if encrypted):
- Note that this does not apply to those employees and other parties with a specific need to see full credit card numbers.
- One-way hashes (hashed indexes), such as SHA-1
- Truncation
- Index tokens and PADs, with the PADs being securely stored
- Strong cryptography, such as Triple-DES 128-bit or Advanced Encryption Standard (AES) 256-bit with associated key management processes and procedures.
- The MINIMUM account information that needs to be rendered unreadable is the payment card account number.
- PCI-3.5 Protect encryption keys against both disclosure and misuse.
- PCI-3.6 Fully document and implement all key management processes and procedures, including:
- Verify the existence of key management procedures.
- For Service Providers only:
- If the Service Provider shares keys with their customers for transmission of cardholder data, verify that the Service Provider provides documentation to customers that includes guidance on how to securely store and change customer’s encryption keys (used to transmit data between customer and service provider).
- If the Service Provider shares keys with their customers for transmission of cardholder data, verify that the Service Provider provides documentation to customers that includes guidance on how to securely store and change customer’s encryption keys (used to transmit data between customer and service provider).
- Examine the key management procedures and determine the procedures require the following:
- Examine the key management procedures and determine the procedures require the following:
--Mdpeters 08:33, 26 June 2006 (EDT)