Subscribe to our Blog
Watch our webinar on-demand to find out more about cryptographic architecture in the cloud:
For transparency and to preserve the original spirit of the questions, we have not edited any of them. The questions were answered by Paolo Basilio, Global Head of Practice at Foregenix and Adam Cason, VP, Global and Strategic Alliances at Futurex.
1. How often is it seen that Payment Service Providers (PSPs) outsource their key Management to banks? Meaning the PSP has a specific bank to take custodianship of their master key.
Is it not best for PSPs to generate, transport and store their own Master Keys?
I have not seen any such cases. Generally, each entity manages their own sets of keys and organisations that need to share encrypted data with each other will share a unique symmetric key between them, each having the responsibility to safeguard the copy of that key or its components that the entities handle. I've also see cases where asymmetric cryptography was used where each entity had their own private/public key pairs signed by a certificate authority and each entity shared their public key with the other for the encryption and transmission of keys/data.
I would say that it is always best for an organisation to manage and control their own master keys given that these keys are generally used to encrypt all other keys which encrypt data and outsourcing that responsibility to a third party would put the security of that data in the hands of a third party. That being said, one would have to understand the particular circumstances in which the example in the question applies.
2. How are the roles and responsibilities of the key management teams impacted if we totally migrate away from the use of key components within our environment? Can anyone be involved in key management?
It will be difficult to completely migrate away from managing key components on some level when it comes to key management for HSM infrastructure. However, to answer the question, it would be prudent to still allocate responsibility for managing and initiating key management activities, be it a key exchange or sharing of public keys or any type of processes that may be part of and potentially impact the security of the cryptographic architecture. The allocation of this responsibility will not need to be as sensitive as when assigning key custodians for handling key components but responsibility should be documented and defined.
3. How do you overcome the challenge in the countries that you can not transfer personal data outside of the country?
Great question, by its nature, cloud processing means in many cases that data would be distributed across multiple geographies and even internationally which would make it difficult to meet such a requirement. Nevertheless, even within the same country, and spread across different parts of the country, distributed key management and HSM infrastructure still requires more efficient operations and would benefit from improved solutions.
When you're looking at a cloud payment HSM infrastructure in particular, it's important to talk to your provider about any data residency requirements you must abide by. That can help you make the decision about whether you are able to take a full-cloud approach, require a hybrid environment (with assurances that your cloud HSMs are housed in an in-country datacentre), or need to stick with a fully on-premises approach.
4. How would this work in terms of a QSA wanting to view Key Management operations during a PCI assessment? Would the QSA need to visit each Key Custodian at their home etc. to see this working in practice using the Excrypt Touch, or would the audit logs suffice?
Currently there are no guidelines for assessing controls at an employee’s home and due to the nature of the current industry requirements associated with key management such as dual-control, it would be difficult to have scenarios where this sort of scenario exists and an entity meets compliance requirements. It is likely that better solutions would be developed for this problem which would alleviate the need for custodians to have to store key material or cryptographic hardware at their private residence. This could be in the form of an encrypted key store or other practical solutions for scenarios where components are still in use. We will have to wait and see how the industry standards evolve to cater for an increasingly 'work from home' environment.
5. With key agent service, how do we make sure that the components are not tampered while they are being transmitted and stored in the HSM? Let’s say if keys get compromised then who will be accountable for it ?
Key components would need to be transmitted in authenticable, opaque, tamper-evident packaging or encrypted with a key of equal or greater strength when transmitted in accordance with industry standards and once these are received by the Futurex custodians, they will be received stored and loaded in accordance with these standards as well. Futurex are audited regularly against PCI PIN, PCI P2PE and various other industry standards.
For more information, check out these blog posts: Encryption 101 - How it works and Encryption 102: 5 Methods of Encryption
6. When do you think there will be a PTS approved HSM for use with a Cloud P2PE solution?
PTS approval pertains to physical cryptographic devices and therefore these devices can already be used in cloud environments. In terms of P2PE Solutions, there are already some service providers such as Futurex's 'VirtuCrypt' who have a P2PE certified decryption environment listing with a service offered through AWS and Azure.
Get in touch
We hope the answers to the questions above have helped you learn more about cryptographic architectures. For more information download our Crypto Practice datasheet.
If you have any other questions or would like to have a conversation feel free to email us at crypto@foregenix.com.
