The struggle to guarantee information security constructs the foundation of cryptography in key management. Cryptography, indisputably, is the most constructive solution that the Payment Card Industry has against increasingly sophisticated and complicated security hacks. However, to match with the newly evolving threats, regulations concerning the implementation of cryptographic layers are becoming more evolving, more complicated at the same time. The overall goal behind such constant improvements is quite clear – To Strengthen EMV Key Management.
Another reason that securing EMV key management should be attended more comprehensively that ever before is the gradual rise of mPOS platforms. The ‘m-revolution’ is no more an idea, popping from the pages of fiction. It is, now, very much a reality and empowering customers and merchants alike. While there is no denying that with gradual course of time use of the mPOS will increase and more advanced platforms will appear, on the other hand, managing as well as securing the huge amount of cardholder data will become a major headache for the concerned organizations. In this situation, encryption and encryption key management are the best solutions that the data processing companies may opt for.
The Overwhelming Presence of EMV Key:
The payment card industry is currently undergoing a giant transition of shift from magnetic stripe to chip cards and the process of transition commenced almost a decade before. EMV – the term became popular since the process of shifting from stripe to chips was initiated by three industry leaders, Europay (currently operating under MasterCard), MasterCard and Visa. The sole objective behind this move has been increasing number of security frauds, liability shift and technological advancement, especially in the mobile domain. The EMV chips not only incorporate cryptographic co-processors and dual interfaces (for contact and contactless payment) but also they are comparatively inexpensive. Furthermore, the contactless interface of the EMV chips has played the crucial part in making itself an integral part of the gradually expanding mobile payment domain. However, adding personalization (feeding in customer information along with digital certification and cryptographic keys) to the contactless interface of EMV cards is the prime challenge and need to be executed carefully.
Defining and Understanding Key Management:
According to ANSI X9.17, one of the most highly acknowledged key management standards, the process is an accumulation of “… methods (including the protocol) for the generation, exchange, use, storage and destruction of these secret keys. This standard not only permits interoperability among financial institutions, but also permits interoperability between financial institutions and their wholesale customers.”
Determining any specific mode of key management system is difficult. While formulation of a strategic measure, apart from technicalities, there are several other aspects that need to be considered, namely – government rules and regulations, restrictions, royalty and license. However, determination of the best management method is done by combining three factors: interrelation between the constituents of a network, cryptographic mechanisms and cryptographic services. Key management with EMV is highly preferred as the security design is well structured and they also provide data storing and processing organizations with the opportunity to comply with all the PCI Data Security Standards (PCI DSS). In order to ensure successful EMV key management by applying cryptographic layers, the mandatory thing to do is using a unique 3DES key and select of the three RSA signatures, namely:
- SDA (Static Data Authentication)
- DDA (Dynamic Data Authentication)
- CDA (Combined Data Authentication)
While these technicalities only focus on cryptography in EMV, on the other hand, they should be correctly complemented by PCI Data Security Standards for complete management of keys.
The Challenges of EMV Key Management and Encryption:
There are several factors that may function as major impediments to successful EMV key management and encryption, namely:
- Restricting Manual Data Breach:
The risk of manual data breach increases with malevolent system administrators and data managers, who have access to encryption keys and data. Using the valuable data, they receive the access to clean text data. The best way to restrict such attempts is isolating keys deliberately from a dedicated key management system.
- Restricting Malicious Apps:
It is important to identify and stop malicious apps/apps that have been affected by malware from having legitimate access to classified data.
- Restricting Access of Multiple Database Instances to the Same Keys:
Controlling multiple database instances demanding access to the same keys in a typical fashion is another major challenge to EMV key management and encryption. Failure to control not only increases the provisioning cost but also coordinating rotation of the data keys becomes a problem, increasing the risk of data breach.
- The Chance of Business Disruption:
Losing data key may lead to unavailability of valuable data and also makes decryption impossible. In this way, along with the risk of confidential data disclosure the chance of business disruption also increases.
- Safety from Super-users:
In many cases, super-users with the rights of broad access may change or disable encryption controls unless the scope for adequate crosschecking and measures of security balancing is there.
What are the Guidelines Concerning Encryption and Encryption Key Management?
The section 3 of PCI Data Security Standards has laid down the guiding principles for data protection through encryption and encryption key management. The controlling measures are:
- PAN (Primary Account Numbers) Encryption during data processing and storage: One of the prime areas of focus for PIC DSS regarding data security is protecting primary account numbers (PAN) while it is being stored, processed or transmitted. In this context, the most frequently used method is using industry standard encryption, determined by Advanced Encryption Standard (AES).
- Storing CVV or Track Data is an absolute no-no, even in an encrypted form: PCI Data Security Standards completely prohibits storing of card security code (CVV or CVV2) in any form whatsoever, including encryption. The same rule also applies for storing of PIN codes or magnetic strip data (Track 1 or Track 2), found on the back of payment cards.
- Encryption should be as per NIST standards: Not all types of encryption are recognized by PCI Data Security Standards. It suggests using those forms only that are industry tested and acknowledged accordingly. It means that companies are required to encrypt card data as per the norms and standards set by AES, RSA, Triple DES, or El Gemal. AES is one of the most popular standards and it can be tested and validated under the National Institute of Standards and Technology (NIST).
- Standard-based Best practices to keep Encryption Keys Safe: PCI DSS has made it clear that encryption keys should be protected from all sorts of unauthorized accesses. In order to put a stop on misuse of the data, PCI DSS has further recommended that the access should be restricted only to a limited number of personnel. The National Institute of Standards and Technology (NIST) has laid down the complete best practices guidance, concerning encryption key management in two documents, Recommendations for Key Management (SP-800-57 Part 1) and A Framework for Designing Cryptographic Key Management Systems (SP-800-130).
- Special Stress on Dual Control and Split Knowledge during the processing of Encryption Keys: PCI DSS has taken quite a strong stance upon the processing of encryption keys in the clear. In a situation like this, the use of dual control and split knowledge is a must requirement. The new-age key management system provides you with the assistance to meet these necessities concerning split knowledge by restricting encryption key management in the clear. On the other hand, dual control lets you adhere with PCI Data Security Standards by stopping any particular person from gaining access to an encryption key.
- Rotation of Data Encryption Keys and Key Encryption Keys based on the accurate crypto-period: The encryption that data storing and processing companies use for securing the PAN (Primary Account Numbers) should be changed in a periodic manner, as recommended by the industry best practices. This requirement for rotating encryption keys applies equally for both Data Encryption Keys (DEK) and Key Encryption Keys (KEK) [ keys that protect them DEK].
Cryptography or the art of secret writing is an integrated part of key management and data security, especially when it comes to EMV key management. The scope of implementing well structured security designs to EMV chips have not only made them more appreciated in the industry but also they are inexpensive. However, managing EMV keys successfully will rely on how effectively data storing and processing organizations are handling the challenges related to encryption and encryption key management. Several of the recent incidents have shown without that encrypted data can be hacked and several organizations are not yet adhering with the industry best practices. These complications can surely be overcome. However, taking the necessary actions is of more importance than preparing for restorative measures after the mishap has occurred.