The PCI PIN Security Requirements and Testing Procedures (PCI PIN Security Standard) require implementation of Key Blocks. On the blog, we cover basic questions about this security method and how it helps secure payment data.
What are Key Blocks?
Key Blocks is a standard way of protecting the integrity of cryptographic keys and of associating them with their intended use. Key Blocks may be used to protect both Triple Data Encryption Algorithm (TDEA), sometimes referred to as 3DES or TripleDES, and Advanced Encryption Standard (AES) keys. Key Blocks are used to protect the secrecy and integrity of the encrypted key.
Why are Key Blocks important to payment security?
Key Blocks play an important role in protecting cryptographic keys used to help protect payment security. They are important because they prevent misuse of cryptographic keys and make it very difficult for hackers to exploit weaknesses that might otherwise allow unauthorized modification, substitution or discovery of a cryptographic key that is used to protect payment data.
Key Blocks play a central role in doing cryptography correctly.
What is the difference between Key Blocks and Key Bundling? Are they the same thing?
No, they are not the same thing; however, they are related. Key Bundling is a concept introduced in the 1990s to protect Triple Data Encryption Standard (TDES) keys. It has no utility beyond TDES. Key Bundling is specific to the TDES keys and is a standard way of preventing the reordering of DES keys (that make up a TDES key). Key Blocks/Key Wrapping also accomplish this, but Key Bundling doesn’t accomplish everything that Key Blocks do. Key Blocks have a broader use than key bundling. Key Bundles were conceived as a mechanism for protecting the integrity of TDES key bundles, and this has now been supplanted by a broader construct known as Key Blocks. For example, Key Blocks can be utilized for AES keys as well as TDES keys.
What are some of the potential risks to organizations that don’t implement cryptographic Key Blocks as required by the PCI PIN Security Standard?
Not implementing Key Blocks as required by the PCI PIN Security Standard could leave organizations vulnerable to more attacks and thus resulting in payment data compromises. Key Blocks are essential in protecting the cryptography that, in turn, protects payment data. Organizations that fail to utilize Key Blocks run a greater risk of a breach that could go undiscovered for a significant period-of-time with significant consequences. It is therefore important to implement Key Blocks before these wide scale attacks materialize. Failure to utilize Key Blocks may also result in an organization becoming so compromised that they are effectively under the control of hackers. This can lead to extortion situations or worse, the complete compromise and elimination of valuable data.
Finally, the risk isn't just to the organization that gets this wrong, the risk is to the greater ecosystem. The data that is compromised could impact cardholders, issuers, third parties, and payment brands.
What is the PCI SSC doing regarding Key Blocks? What resources does PCI SSC offer to support implementation of cryptographic Key Blocks?
Key Blocks are an important part of the PCI PIN Security Standard. PCI SSC has also developed information supplements and FAQs that provide more technical information on how to implement and use Key Blocks as required in the standard. Additionally, PCI SSC will be publishing a series of more detailed blogs on this and related cryptographic topics.
For more information on this important subject, please see our 2017 Information Supplement: Cryptographic Key Blocks, as well as the latest 2019 Information Supplement: PIN Security Requirement 18-3 – Key Blocks. These documents include helpful information on acceptable methods for implementing Key Blocks, important implementation dates, and FAQs that cover a range of relevant topics.