The Payment Card Industry Security Standards Council (PCI SSC) is preparing to introduce a significant new addition to its suite of security standards: the PCI Key Management Operations (KMO) standard, expected to launch in the second half of 2026. This development signals a crucial evolution in how the payment industry approaches cryptographic key management, and it couldn't come at a more opportune time.
The Evolution of Payment Security Technology
The payment industry has undergone dramatic technological transformation over the past decade. Cloud-based Hardware Security Modules (HSMs), software-based cryptographic solutions, and distributed payment architectures have fundamentally changed how organizations process and protect sensitive payment data. Yet our key management frameworks have struggled to keep pace with these innovations.
Traditional key management standards were designed for a different era, one dominated by on-premises data centres and hardware-based security modules. Today's payment ecosystem is vastly more complex, with cryptographic operations distributed across cloud environments, mobile devices, and hybrid infrastructures. This technological shift demands a fresh approach to key management that can accommodate modern architectures whilst maintaining the robust security principles the industry requires.
Beyond PIN: Expanding the Scope of Cryptographic Protection
For years, PIN security has been the primary focus of structured key management in payment systems. The PCI PIN standard has served the industry well, establishing rigorous requirements for protecting Personal Identification Numbers throughout their lifecycle. However, the reality of modern payment security extends far beyond PIN protection.
Account data, authentication credentials, tokenization systems, encryption keys for data at rest and in transit, all of these critical assets rely on strong cryptographic protection and disciplined key management. As payment methods diversify and security threats evolve, the industry needs a more comprehensive framework that can address the full spectrum of cryptographic operations across various payment technologies.
We might expect a new standard to recognize that payment security is fundamentally about protecting multiple types of sensitive data, each requiring appropriate cryptographic controls and key management practices tailored to their specific risk profiles.
A Structural Foundation for Multiple Programs
One of the most intriguing aspects of the emerging KMO standard is its potential role as a foundational element that other PCI programs can reference. Rather than each standard maintaining its own separate key management requirements, potentially creating inconsistencies or gaps, a unified key management framework could provide a consistent security baseline across the payment ecosystem.
This structural approach would offer several advantages:
Consistency Across Standards: Organisations operating under multiple PCI programmes would benefit from a unified set of key management principles, reducing complexity and potential conflicts between different requirement sets.
Flexibility for Innovation: A generic key management framework can more easily adapt to new payment technologies and methodologies without requiring wholesale rewrites of multiple standards.
Enhanced Rigour: By consolidating key management expertise into a dedicated standard, the PCI SSC can potentially create more comprehensive and technically sophisticated requirements than would be practical within each individual programme.
Efficiency for Assessors and Organisations: A listing-based programme with specialised assessors could streamline the assessment process for entities that need to demonstrate compliance across multiple PCI standards.
What Might KMO Address?
While the specific requirements remain to be seen, we can speculate on areas where a modern key management standard might focus:
Cloud and Virtualized Environments: How do we ensure cryptographic key security when HSMs are delivered as services? What controls are appropriate for software-based key management in cloud architectures?
Key Lifecycle Management: Comprehensive coverage of key generation, distribution, storage, rotation, and destruction across diverse technological platforms.
Access Controls and Segregation of Duties: Robust frameworks for controlling who can access, use, or manage cryptographic keys, potentially incorporating modern authentication and authorization technologies.
Cryptographic Agility: Requirements that support the ability to transition between cryptographic algorithms as technology advances and threats evolve.
Audit and Monitoring: Enhanced capabilities for detecting and responding to potential compromises of key material or key management systems.
Integration Points: Clear guidance on how key management operations integrate with related security controls like network segmentation, physical security, and personnel security.
The Path Forward
The introduction of a dedicated key management standard represents more than just another compliance requirement; it reflects the payment industry's recognition that cryptographic key management is fundamental to data security in the modern payment ecosystem. As organisations increasingly rely on encryption and cryptographic controls across all aspects of payment processing, the strength and integrity of key management operations become critical to the entire security posture.
For organisations currently operating under PCI PIN, P2PE, MPoC, or other programmes with key management components, it will be worth watching how KMO develops and planning for potential integration of these new requirements into existing security programmes. The transition period will likely offer opportunities to consolidate and strengthen key management practices whilst maintaining continuity of operations.
The payment industry's move towards a comprehensive, modern key management standard is a welcome development that acknowledges both the technological realities of today's payment ecosystem and the evolving threat landscape. As we await the formal release of PCI KMO, organisations should be considering how their current key management practices align with best practices and preparing for a new era of standardised, rigorous cryptographic key management across the payment industry.
The PCI KMO standard is currently in development, with release expected in mid-2026. Organisations should monitor PCI SSC communications for official announcements and guidance on implementation timelines.
We are following these developments closely and will be sharing updates as they emerge. If you require consultancy or support with key management operations and the new KMO standard, please don't hesitate to reach out to us.
Subscribe to our Blog
).png?noresize&width=500&height=500&name=Portrait%20Valentin%20Averin%20(Photo%20(7%20%C3%97%209%20in)).png)
Valentin Averin
Head of PCI PIN and PCI 3DS Practice at Foregenix. He is an experienced professional in information security and payment security, who has more than 17 years of a strong track record in the financial services security industry and compliance. His expertise spans across: - Payment & data security for both traditional and emerging payment instruments (mobile wallets, real-time payments, digital assets, and tokenized payment solutions). - PCI Security Standards family: PCI DSS, P2PE, PIN Security, PCI 3DS, PCI TSP. - ISO 27001 & Cybersecurity Governance in banking and payment ecosystems. - Risk & Compliance Management across regulated financial environments.
See All Articles