PCI DSS Requirement 3.6

Release Notes
- SAKA 4.12.0
- SAKA 4.11.0
- Back
Preface
- Default Paths and Filenames
- Third-Party Website References
- Strongkey Welcomes Your Comments!
- Back
KAM Introduction
Architecture
Installation
- Preliminary Steps
- Install Components (Primary)
- Install Components (Secondary)
- Define KCs (Primary)
- Verify KCs (Secondary)
- Set Personal Identification Numbers (PINs) [Primary]
- Set PINs and Complete Key Migration [Secondary]
- Create System Users [Primary]
- Create a New Encryption Domain [Primary]
- Complete Second Domain Key Migration [Secondary]
- Add System Users [Primary]
- Configure the SKCE domain [Primary]
- Replicate the CEM Domain [Secondary]
- Back
CCS Web Service Operations
- CCReturnObject
- Manufacturer Identifiers for Processing CardHolder Data (CHD)
- CCS Module GetCardCaptureData Mechanics
- CCS Module DukptEncrypt Mechanics
- CCS Module DukptDecrypt Mechanics
- CCS Module DukptMAC Mechanics
- CCS Module ReencryptPINBlock Mechanics
- Back
KAM Web Service Operations
- KAM Encryption Mechanics
- KAM Decryption Mechanics
- Notes on the Mechanics
- KAM Deletion Mechanics
- KAM Search Mechanics
- KAM Entropy Mechanics
- KAM General Purpose Key Encryption Mechanics
- KAM General Purpose Key Decryption Mechanics
- KAM Batch Operations
- KAM Relay Mechanics
- HTTPS Interface
- SOAP Interface
- Back
KMS Web Service Operations
- CCReturnObject
- CCKeyComponentType
- CCCryptographicMaterialType
- CCEncryptedAnsiX9241KeyType
- KMS Module loadKeyComponent Mechanics
- KMS Module loadBaseDerivationKey Mechanics
- KMS Module generateBaseDerivationKey Mechanics
- KMS Module generateInitialKey Mechanics
- KMS Module storeAnsiX9241Key Mechanics
- KMS Module replaceAnsiX9241Key Mechanics
- KMS Module deleteAnsiX9241Key Mechanics
- KMS Module updateAnsiX9241Key Mechanics
- Back
KAM Batch Operations
- SKLESBatchInput Element
- SKLESBatchOutput Element
- Generating the SBI XML file
- Transferring XML Files to and from the Appliance
- Submitting Batch Operations
- Back
KAM DemoClients
- Installing SAKA Clients
- sakaclient.jar Operations
- Back
KAM KCSetPINTool
- Setting KC Preferences
- Changing KC Passwords
- Setting the KC PIN on the SAKA Server
- Back
KAM DACTool
- Changing DA Passwords
- Preferences
- Systems
- Domains
- Users
- Jobs
- Configuration
- Back
KAM Key Migration Tool
- Prerequisites
- Back
KAM KMS ConsoleTool
- Loading Key Components
- Loading a BDK
- Storing ANSI X-924.1 Keys from Key Components
- Storing ANSI X-924.1 Keys from Wrapped Keys
- Back
KAM Configuration
- Immutable Configuration
- Mutable Configuration
- Sample Configuration File
- Back
KAM Key Management
- Cryptographic Hardware Modules
- Back
HSM Integration
- Building the HSM Driver
  - Rebuilding the HSM Driver
  - Back
- HSM Administration Basics
- Clearing the HSM
- Setting Up the HSM
- Backing up the HSM
- Restoring from a Backup
- Back
Managing Credentials
- KAM Credentials
- HSM Credentials
- System Credentials
- Linux strongauth
- Back
Changing Hostname and IP
- Changing the IP Address
- service iptables restart
- Changing the Hostname
- Back
Internal Repositories
- Repository Requirements
- Choosing an Online Mirror
- Internal Repository Setup
- KA Setup
- Back
Appliance Security
- Physical Security
- Operating System
- Appliance Credentials
- Back
PCI DSS 3.2
- Requirement 3: Protect Stored Cardholder Data
- Requirement 6: Develop and Maintain Secure Systems and Applications
- Back
KC Responsibilities
Add New SKCE Domain
KAM Replication
- Replicate Essentials Only
- Back
Appendices
- Using a Custom Trust Store
- Using the Key Migration Tool (KMTool)
  - Pre-requisites
  - Mechanics
  - Details
  - Back
- Modifying the Appliance's IP Address or Hostname
- Relay Webservice
  - Mechanics of the Relay
  - Deploying the service
  - Relay Webservice Client
  - HTTP interface
  - SOAP interface
  - Back
- Installing KCSPTool and DACTool on Windows
  - Installation
  - Back
- KAM KC Replace Tool
  - Prerequisites
  - Validating Credentials
  - Recreate a set of Key Custodians
  - Create a new set of Key Custodians
  - Back
- Migration Information
- Using HAProxy as a Load Balancer
- MariaDB Audit Logging Configuration
  - Enable MariaDB Audit Logging
  - Monitoring the MariaDB for Replication anomalies
  - Disable MariaDB Audit Logging
  - The counts_v2.sql file
  - Back
- Application Development Guide
  - Application Design for “Card Not Present” transactions
  - Storing Encryption Domain Identifier (DID)
  - Securing Decryption Credentials
  - Cluster Communications
  - Relay Processing
  - Summary on “Card Not Present” transactions
  - Back
- Setting up LACP Bonding on Tellaro KA
- Strongkey Tellaro & Ransomware Protection
- Adding an Additional Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 On the EXISTING node
  - Step #4 on the NEW node
  - Back
- Adding a Data Recovery Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 on the EXISTING node
  - Step #4 on the NEW node
  - Post-Installation
  - Back
- Batch Delete Tokens
- CIS Hardening Verification RHEL 7.X
- CIS Hardening Verification ROCKY 9.X
- Migrating from Centos to Rocky
  - Rocky Linux Kickstart USB Guide
  - Step 1: On an Existing Production Server in the Cluster
  - Step 2: On the Same Machine after Installing Rocky 9.2
  - Back
- KA Replace EOL Node
  - Prerequisites
  - Step 1 (On New SAKA)
  - Step 2 (On EOL SAKA)
  - Step 3 (On New SAKA)
  - Step 4 (On EOL SAKA)
  - Step 5 (On New SAKA)
  - Step 6 (On EOL SAKA)
  - Step 7 (On New SAKA)
  - Back
- Cleanup SAKA Disk Space
  - Cleanup Old Distributions and Files
  - Cleanup Database Tables
    - Cleanup Encryption Requests Table
    - Back
  - Back
- Using Custom SSL/TLS Certificates
  - Generating a TLS certificate with the SAN extension
  - Installing the keystore on SAKA
  - Conclusion
  - Back
- Reboot StrongKey Tellaro
  - Pre-Reboot
  - Reboot
  - Post-Reboot
  - Back
- Configure Syslog
- Back

Fully document and implement all key management processes and procedures for cryptographic keys used for encryption of CHD, including the following:

How SAKA meets this requirement: SAKA relies on industry standard security components to create a secure Symmetric Key Management Systems (SKMS). Using “Chains of Control” to separate the establishment of an SKMS from its day-to-day operations, the SAKA embodies sound key management principles while scaling to meet internet-level demands.

PCI DSS Requirement	How SAKA Meets this Requirement
3.6.1—Generation of strong cryptographic keys.	How SAKA meets this requirement: SAKA generates DEKs using content from FIPS-certified HSM or TPM, both of which provide a true Random Number Generator (RNG) as a product feature. SAKA only generates 128-, 192-, and 256-bit AES, and 256-bit EC keys.
3.6.2—Secure cryptographic key distribution.	How SAKA meets this requirement: SAKA does not hand out cryptographic keys to any requesting application. All keys are generated, stored, and used within the appliance and only replicated to another appliance over a trusted network. However, even if the encrypted keys fall into the wrong hands, without the cryptographic hardware module, it is computationally infeasible to decrypt them, since the Root 2048-bit key that can decrypt the chain is unavailable outside the cryptographic hardware module.
3.6.3—Secure cryptographic key storage.	How SAKA meets this requirement: SAKA's use of the “Chain of Control” concept allows DEKs to be treated like ordinary files on the operating system, or like records within a database. However, because DEKs are always encrypted under an encryption domain's key, and because the private key (which can decrypt the encrypted keys) of the Root key is stored inside cryptographic hardware modules (which in turn are protected by multiple KCs), access to the decrypted DEK is non-trivial to very difficult for unauthorized entities. The standard use of approved cryptographic hardware modules in SAKA ensures that in the event the hardware module detects attacks, the modules can either lock up (requiring a Security Officer to reset the module), zero out (erase) key material inside the keystore, and/or introduce increasing delays in responses when subjected to dictionary and/or rainbow table attacks.
3.6.4—Cryptographic key changes for keys that have reached the end of their crypto-period (for example, after a defined period of time has passed, and/or after a certain amount of ciphertext has been produced by a given key), as defined by the associated application vendor or key owner, and based on industry best practices and guidelines (for example, NIST Special Publication 800-57).	How SAKA meets this requirement: SAKA includes the ability to automatically rotate DEKs without shutting down cryptographic services or applications that rely on them. Since keys never leave SAKA, and applications store a “token” to uniquely identify a PAN, SAKA can rotate keys at will or periodically without changing the token, thus isolating applications from this housekeeping duty.
3.6.5—Retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened (for example, departure of an employee with knowledge of a cleartext key component), or keys are suspected of being compromised.	How SAKA meets this requirement: Using the same methodology described in the earlier section (for key rollover), SAKA can be used to replace compromised DEKs. DEKs can also be rotated at will at any time without affecting the applications. The SAKA also provides software “jobs” to delete encrypted PANs when they are past their data retention period (which is customizable). Once all encrypted PANs are deleted from the SAKA, site personnel have the ability to delete DEKs from the SAKA appliance.
3.6.6—If manual cleartext cryptographic key management operations are used, these operations must be managed using split knowledge and dual control.	How SAKA meets this requirement: SAKA meets this requirement through its “Chain of Control” concept. The SAKA installation requires a minimum of three KCs who are issued strong credentials (256-bit EC key pairs) used to digitally sign commands activating the cryptographic hardware module within SAKA. Until all KCs activate the cryptographic hardware module, the cryptographic services will not be enabled even if the database and application server are running.
3.6.7—prevention of unauthorized substitution of cryptographic keys.	How SAKA meets this requirement: SAKA automatically generates, encrypts, and manages all DEKs. To substitute DEKs inside the SAKA, attackers must not only compromise operating system and database security, but must also compromise the cryptographic hardware module to access its key pair, then encrypt the DEK and substitute it in the database. While there is no such things as perfect security, this degree of compromise requires a significant level of access to the SAKA appliance that is normally detected though other PCI DSS controls.
3.6.8—Requirement for cryptographic KCs to formally acknowledge that they understand and accept their responsibilities.	How SAKA meets this requirement: This is a procedural requirement addressed outside the realm of technology.