Framework № PCI DSS 4.0 от 01.03.2022

3.7.1
Defined Approach Requirements: 
Key-management policies and procedures are implemented to include generation of strong cryptographic keys used to protect stored account data. 

Customized Approach Objective:
Strong cryptographic keys are generated. 

Defined Approach Testing Procedures:

Purpose:
 Use of strong cryptographic keys significantly increases the level of security of encrypted account data. 

3.7.2
Defined Approach Requirements: 
Key-management policies and procedures are implemented to include secure distribution of cryptographic keys used to protect stored account data. 

Customized Approach Objective:
Cryptographic keys are secured during distribution 

Defined Approach Testing Procedures:

Purpose:
Secure distribution or conveyance of secret or private cryptographic keys means that keys are distributed only to authorized custodians, as identified in Requirement 3.6.1.2, and are never distributed insecurely. 

3.7.3
Defined Approach Requirements: 
Key-management policies and procedures are implemented to include secure storage of cryptographic keys used to protect stored account data. 

Customized Approach Objective:
Cryptographic keys are secured when stored. 

Defined Approach Testing Procedures:

Purpose:
Storing keys without proper protection could provide access to attackers, resulting in the decryption and exposure of account data. 

Good Practice:
Data encryption keys can be protected by encrypting them with a key-encrypting key. Keys can be stored in a Hardware Security Module (HSM). 
Secret or private keys that can decrypt data should never be present in source code. 

3.7.4
Defined Approach Requirements: 
Key management policies and procedures are implemented for cryptographic key changes for keys that have reached the end of their cryptoperiod, as defined by the associated application vendor or key owner, and based on industry best practices and guidelines, including the following:

Customized Approach Objective:
Cryptographic keys are not used beyond their defined cryptoperiod. 

Defined Approach Testing Procedures:

Purpose:
Changing encryption keys when they reach the end of their cryptoperiod is imperative to minimize the risk of someone obtaining the encryption keys and using them to decrypt data. 

Definitions:
A cryptoperiod is the time span during which a cryptographic key can be used for its defined purpose. Cryptoperiods are often defined in terms of the period for which the key is active and/or the amount of cipher-text that has been produced by the key. Considerations for defining the cryptoperiod include, but are not limited to, the strength of the underlying algorithm, size or length of the key, risk of key compromise, and the sensitivity of the data being encrypted. 

Further Information:
NIST SP 800-57 Part 1, Revision 5, Section 5.3 Cryptoperiods - provides guidance for establishing the time span during which a specific key is authorized for use by legitimate entities, or the keys for a given system will remain in effect. See Table 1 of SP 800-57 Part 1 for suggested cryptoperiods for different key types. 

3.7.5
Defined Approach Requirements: 
Key management policies procedures are implemented to include the retirement, replacement, or destruction of keys used to protect stored account data, as deemed necessary when:

Customized Approach Objective:
Keys are removed from active use when it is suspected or known that the integrity of the key is weakened. 

Applicability Notes:
If retired or replaced cryptographic keys need to be retained, these keys must be securely archived (for example, by using a key-encryption key). 

Defined Approach Testing Procedures:

Purpose:
Keys that are no longer required, keys with weakened integrity, and keys that are known or suspected to be compromised, should be archived, revoked, and/or destroyed to ensure that the keys can no longer be used. 
If such keys need to be kept (for example, to support archived encrypted data), they should be strongly protected. 

Good Practice:
Archived cryptographic keys should be used only for decryption/verification purposes. 
The encryption solution should provide for and facilitate a process to replace keys that are due for replacement or that are known to be, or suspected of being, compromised. In addition, any keys that are known to be, or suspected of being, compromised should be managed in accordance with the entity’s incident response plan per Requirement 12.10.1. 

Further Information:
Industry best practices for archiving retired keys are outlined in NIST SP 800-57 Part 1, Revision 5, Section 8.3.1, and includes maintaining the archive with a trusted third party and storing archived key information separately from operational data. 

3.7.6
Defined Approach Requirements: 
Where manual cleartext cryptographic keymanagement operations are performed by personnel, key-management policies and procedures are implemented include managing these operations using split knowledge and dual control. 

Customized Approach Objective:
Cleartext secret or private keys cannot be known by anyone. Operations involving cleartext keys cannot be carried out by a single person. 

Applicability Notes:
This control is applicable for manual keymanagement operations or where key management is not controlled by the encryption product. A cryptographic key that is simply split into two parts does not meet this requirement. Secret or private keys stored as key components or key shares must be generated via one of the following:

Defined Approach Testing Procedures:

Purpose:
Split knowledge and dual control of keys are used to eliminate the possibility of a single person having access to the whole key and therefore being able to gain unauthorized access to the data. 

Definitions:
Split knowledge is a method in which two or more people separately have key components, where each person knows only their own key component, and the individual key components convey no knowledge of other components or of the original cryptographic key. 
Dual control requires two or more people to authenticate the use of a cryptographic key or perform a key-management function. No single person can access or use the authentication factor (for example, the password, PIN, or key) of another. 

Good Practice:
Where key components or key shares are used, procedures should ensure that no single custodian ever has access to sufficient key components or shares to reconstruct the cryptographic key. For example, in an m-of-n scheme (for example, Shamir), where only two of any three components are required to reconstruct the cryptographic key, a custodian must not have current or prior knowledge of more than one component. If a custodian was previously assigned component A, which was then reassigned, the custodian should not then be assigned component B or C, as this would give the custodian knowledge of two components and the ability to recreate the key. 

Examples:
Key-management operations that might be performed manually include, but are not limited to, key generation, transmission, loading, storage, and destruction. 

Further Information:
Industry standards for managing key components include: 

3.7.7
Defined Approach Requirements: 
Key management policies and procedures are implemented to include the prevention of unauthorized substitution of cryptographic keys. 

Customized Approach Objective:
Cryptographic keys cannot be substituted by unauthorized personnel. 

Defined Approach Testing Procedures:

Purpose:
If an attacker is able to substitute an entity’s key with a key the attacker knows, the attacker will be able to decrypt all data encrypted with that key 

Good Practice:
The encryption solution should not allow for or accept substitution of keys from unauthorized sources or unexpected processes. 
Controls should include ensuring that individuals with access to key components or shares do not have access to other components or shares that form the necessary threshold to derive the key. 

3.7.8
Defined Approach Requirements: 
Key management policies and procedures are implemented to include that cryptographic key custodians formally acknowledge (in writing or electronically) that they understand and accept their key-custodian responsibilities. 

Customized Approach Objective:
Key custodians are knowledgeable about their responsibilities in relation to cryptographic operations and can access assistance and guidance when required. 

Defined Approach Testing Procedures:

Purpose:
This process will help ensure individuals that act as key custodians commit to the key-custodian role and understand and accept the responsibilities. An annual reaffirmation can help remind key custodians of their responsibilities. 

Further Information:
Industry guidance for key custodians and their roles and responsibilities includes: 

3.7.9
Defined Approach Requirements: 
Additional requirement for service providers only: Where a service provider shares cryptographic keys with its customers for transmission or storage of account data, guidance on secure transmission, storage and updating of such keys is documented and distributed to the service provider’s customers. 

Customized Approach Objective:
Customers are provided with appropriate key management guidance whenever they receive shared cryptographic keys. 

Applicability Notes:
This requirement applies only when the entity being assessed is a service provider. 

Defined Approach Testing Procedures:

Purpose:
Providing guidance to customers on how to securely transmit, store, and update cryptographic keys can help prevent keys from being mismanaged or disclosed to unauthorized entities. 

Further Information:
Numerous industry standards for key management are cited above in the Guidance for Requirements 3.7.1-3.7.8.