3.6 Requirement 3 Part 2

00:01

Welcome to the cyber. Very demystifying P C. I. D. S s compliance course.

00:06

This module will focus on the gold to the PC idea says, and the requirements associated with them.

00:14

This video introduces you to requirements 3.633 dot seven.

00:19

We'll talk about some of the requirements associated with protecting cardholder data.

00:26

The learning objective of this video is to explore how to satisfy requirements around protecting cardholder data and ways you can satisfy the PC idea says Requirement 3.623 dot seven

00:40

Requirement three is around. The protections you as a merchant need to have in place when dealing with credit card data.

00:46

Mechanisms such as encryption, truncation, masking and hashing should be leveraged to protect credit cards from an intruder.

00:54

You should also only store and maintain this data if it is absolutely necessary.

01:00

The 36 group is around all of the documentation and implementations of key management processes and procedures for cryptographic keys used for encryption of cardholder data.

01:15

Auditor will be looking for how you were addressing 3.6 that one. The generation of strong encryption keys

01:22

36 to secure cryptographic key, the distribution

01:26

and 363 Secure cryptographic key storage

01:32

generation, distribution and storage are all key components of a secure cryptographic infrastructure, and all need to have great care associated with it.

01:42

A lapse in any of these areas could lead to the collapse off all the security of all encryption mechanisms.

01:49

That auditor will be looking to observe all of the procedures and methods to ascertain if there any *** in the armor

01:59

encryption keys have a defined time period.

02:01

The key should expire after a set period of time. Because the Brazilians have a key may weaken over time.

02:07

Requirement 364 mandates that a merchant must have in place processes to handle key changes for keys that have expired.

02:16

PC I does not mandate any specific process, so an auditor will just be looking to see that you have something specifically defined and if you are following it.

02:28

Similarly, the 364365 looks to see that you have a process for replacing keys that need to be replaced for reasons other than expiration.

02:37

If a key has been weakened due to some new disclosure or suspected of being compromised

02:43

or if simply an employee leaves that had knowledge of a sensitive key component.

02:46

Then the merchant needs that have in place a process to replace or retire the keys.

02:53

Requirement 365 acknowledges that there may be instances where manual clear, clear text cryptographic key management operations have to be used.

03:02

In these instances, no one person may have full control of the key.

03:07

Operations must be managed using split knowledge where two or more people have a portion of the key, and they must all come together to form the whole key

03:16

or dual control can be used where it requires at least two people to perform any key management operation.

03:25

Well, Kermit 367 is for the prevention of unauthorized substitution of cryptographic keys.

03:32

The encryption solution you're using should not allow for or accept substitution of keys coming from unauthorized or unexpected sources.

03:40

If an attacker is ableto force your system to take keys from arbitrary source,

03:46

the encryption solution is un effective.

03:49

An auditor will be looking to interview personnel and verify that key management procedures specify processes to prevent unauthorized substitution of keys.

04:00

The 368 requirement should be a simple one.

04:03

The auditor will look to see if you're as emergent. Have to find who the key custodians are.

04:09

The auditor will then ask cryptographic key custodians to formally acknowledge that they understand and accept their key custodian responsibilities.

04:18

And finally, for requirement, three U. S. A. Merchant must ensure that security policies and operational procedures for protecting stored cardholder data are documented

04:29

in use and known to all affected. Parties.

04:34

In summary, would discuss all of the mandates associated with PC high requirements to be 0.6237

04:42

requirement. Three. Make sure that you are putting in place controls to protect your customers. Credit and debit card Information from Disclosure

04:48

36 Focuses on encryption about 37 Make sure you have a policy in place when dealing with cardholder data.

04:57

Now for a quick quiz.

04:59

True or false

05:00

cryptographic keys only need to be replaced when they expire.

05:09

If a key has been weakened due to some new disclosure or suspected of being compromised, it needs to be replaced.

05:15

Orphan employee leaves that had knowledge of the sensitive key components. The key should be replaced.

05:24

Split knowledge or dual control. It's necessary for

05:28

re vocation of keys,

05:30

clear text. Key management

05:31

authentication, authorization,

05:33

access, key storage