In 2004, a potential vulnerability for the wrapping mechanisms employed when working with published in association with usage of double or triple length keys. Prior to 2010, the payment industry had been relying primarily on single length keys. As such, the vulnerability was largely ignored by the industry.
The DES algorithm itself is still considered to be strong cryptography. Yet, the eight Byte blocks associated with the DES algorithm are subject to replacement techniques that ultimately lower the effective intended security of the key. This is mitigated by binding the blocks together using strong cryptography techniques.
Presently, PCI PIN (2014) offers the only enforcement for binding keys. There is no other industry mandated audits or assessments that evaluate the usage of cryptography in the payment space. As such, a common misconception is that the requirement for binding or “key bundling,” is only associated with PIN keys. This vulnerability exists for every DES key and is not confined to keys used with PIN.
As of March 2017, the PCI SSC revised the implementation date for Key Blocks, PCI PIN Security PCI SSC for PCI PIN Security Requirements v2, and 18-3.
The new implementation dates are broken into phases, allowing organizations to focus resources on associated risk in order to achieve compliance. The phased implementation dates are as follows:
PHASE 1 – Implement Key Blocks for internal connections and key storage within Service Provider Environments – this would include all applications and databases connected to Hardware Security Modules (HSM). Effective date: June 2019.
PHASE 2 – Implement Key Blocks for external connections to Associations and Networks. Estimated timeline for this phase is 24 months following phase 1, or June 2021.
PHASE 3 – Implement Key Block to extend to all Merchant Hosts, point-of-sale (POS) devices, and ATMs. Estimated timeline for this phase is 24 months following phase 2 or June 2023.