As with most subjects that are ignored when they are too painful to dwell on, the evolving standards for cryptography in the payments industry appear to be no exception. Few enterprises are taking pro-active steps to prepare for significant required changes to cryptographic infrastructure.
Historically, the industry has relied upon the wait-and-see approach to compliance violations. Most have successfully leveraged a calculated risk model to justify deferring spending that outweighs potential fines. This approach isn’t necessarily lazy or foolish. In fact, it’s sound business management as studied by MBAs and even CISSPs. If an infrastructure change is going to cost $100,000, but the fine imposed for avoiding the change is $20/day, it could be seen as financially irresponsible to make the change pro-actively.
Hard numbers such as these are easy to calculate. Though, these are not the only figures that should be considered. Cryptography provides for trust. What is the monetary value of trust? Cryptography is employed because something is possessed, that if lost, would be of great consequence to the organization. Whether intellectual property, trade secrets, personally identifiable information, or sensitive payment account data, these items are held in trust. When trust is lost, the figures involved are nearly incalculable.
Compliance mandates for cryptography are not published because they’re a good idea or a best practice. These mandates outline the proper, safe, and reliable way cryptography can be depended upon to provide trust. In so many areas of business, we pride ourselves on going above and beyond. It’s not OK to be just OK, or to almost meet the standard. The foremost experts in the world set these minimum standards because a failure to meet them will leave data vulnerable.
Your enterprise should have active projects aimed at meeting all of the items listed below:
What is on the Horizon?
Key Bundling – While only currently enforced in PIN environments, it is being enforced with good reason, and should be adopted for all key types.
Keys at Rest – June 01, 2019 (active)
Keys Exchanged – June 01, 2021 (future)
Keys at Endpoints – June 01, 2023 (future)
Elimination of two-key TDES – NIST deprecated in 2015. HSMs containing support for this algorithm, and relying upon FIPS 140-2 Level 3 certification have been re-categorized as “Historical.” Most solutions in the category will see certification expire in 2022. New implementations should not be deployed after December of 2019. Watch for new requirements in FIPS 140-3 Level 3 (March 2019).
PCI HSM certifications – Many devices carrying this alternative certification to FIPS 140-2 Level 3, have expired as of April 2019. New PCI HSM certifications will be valid through April of 2026.
Support for AES – AES must be supported by January of 2023.