PCI Requirement 3.6.2 – Secure Cryptographic Key Distribution

by Randy Bartels / July 28th, 2017

PCI Requirement 3.6.2 states, “Secure cryptographic key distribution.” Whether it’s placing tamper-proof or tamper-evident packaging on trackable packages or tracking data that you’ve transmitted electronically, any method that your organization is using to transmit keys needs to be done securely. Whether it’s moving keys from generators into production state or to backup, any method that your organization us using to transmit keys needs to be done securely. To further explain what it means to securely transmit keys, the PCI DSS also states, “The encryption solution must distribute keys securely, meaning the keys are distributed only to custodians identified in 3.5.1, and are never distributed in the clear.”

“When moving the keys from the point of generation into a production state, or perhaps moving these keys to a place of redundancy or backup, the transmission of these keys needs to be done securely. This could be done on Sneakernet, where you physically walk them on a thumb drive. If you’re going to be transmitting them over mail, those particular packages need to be trackable and need to be tramper-proof or have tamper-evident packaging. If you’re going to be emailing them or transmitting them electronically, the data-encrypting key needs to be encrypted with a key-encrypting key that’s equally as strong. In short, 3.6.2 requires that you transmit keys securely, however you’re doing that. “