The PCI PIN Standard requires implementation of Key Blocks. On the blog, the third of the series, we cover basic questions about the 3 phases for implementing the Key Blocks requirements. On our first blog, Key Blocks 101, we covered basic questions about this security method and how it helps secure payment data.The second blog in the series, Key Blocks 102, addressed questions around Key Block applicability.
Q. What are the 3 phases for Key Block?
A. Per PCI PIN Security Requirements, Requirement 18-3, “Key Blocks,” encrypted symmetric keys must be managed in structures called Key Blocks. The key usage must be cryptographically bound to the key using accepted methods, such that it must be infeasible for the key to be used if the usage attributes have been altered.
The phased implementation dates are as follows:
Phase 1 – Implement Key Blocks for internal connections and key storage within service provider environments. * This would include all applications and databases connected to hardware security modules (HSM). Effective date: 1 June 2019. Please note, the effective date for Phase 1 has recently passed. Therefore, it is the expectation that service providers have implemented key blocks for internal connections and key storage.
Phase 2 – Implement Key Blocks for external connections to associations and networks. Estimated timeline for this phase is 24 months following Phase 1, or 1 June 2021.
Phase 3 – Implement Key Blocks to extend to all merchant hosts, point-of-sale (POS) devices and ATMs. Estimated timeline for this phase is 24 months following Phase 2, or 1 June 2023.
*A service provider is an entity (that is not a payment brand), acting on behalf of an Acquiring organization for any of the following activities:
- Acquiring, processing, storage, or transmission of PIN-based payment transactions
- Management of cryptographic keys associated with PIN-based payments e.g., Certificate Authority, Key-Injection Facility
Note: If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service (although it may be considered a service provider for other services).
Q. Why 3 Phases? Why did the PCI Council make this requirement a phased approach?
A. The PIN Security Requirements version 2.0 was published in December 2014, with an effective date for implementation of 1 January 2018. Based on industry feedback the standard was revised and announced 28 March 2017 to incorporate phased implementation dates to allow for a smoother transition to the requirement. The phased in approach will allow organizations to focus resources on associated risk and to address implementation tasks specific to their environment and support a smooth migration across the payments network.
Q. Does my entity have to implement the phases on the exact dates? Or is any date before the deadline acceptable?
A. Implementation is anytime up to and including the date of the deadline. Organizations are encouraged to implement Key Blocks as soon as is reasonably possible for your organization. The sooner key blocks are implemented, the more secure your payment systems will be. For phases 2 and 3, it is important to work with business partners that will be sending/receiving key blocks to ensure the appropriate coordination and testing is performed before the effective date. Organizations should begin discussions with those entities as soon as feasible to ensure they are able to complete testing and coordination in time to meet the deadline It would also be prudent to consult with any third parties that your organization exchanges payment data with to ensure all parties can support the requirements.
Q. What if my entity cannot meet the phased dates?
A. It is important for an organization to understand the operational impacts, including the inability to continue processing and non-compliant status with the requirement. Validation of compliance is determined by individual payment brands. The PCI SSC does not enforce compliance; this is done by individual payment brands or acquiring banks. If you have questions regarding not being able to meet these deadlines, contact the payment brands of interest. To learn more about contacting the payments brands please visit our FAQ.
Q. Are these dates certain, or are they subject to change?
A. The stated effective dates for the phases are based on industry input. The dates have been widely communicated and many organizations are on track to meet the requirement at the specified times, therefore it is unlikely the dates will change. If you still have questions, please contact the individual payment brands.