In the previous article of the Key Management Awareness series, we looked at how cryptographic key management evolved from the early days’ operational controls into formal governance Standards guided by NIST, ANSI, and later PCI SSC. As card payment networks expanded in the 1970s and 1980s, financial institutions quickly realized that proper key management has the same importance as cryptography used to secure systems and sensitive data. Nowadays, payment systems rely on Hardware Security Modules, distributed payment platforms, hybrid environments and cloud-based cryptographic services, however, the key management operational model still depends on the same principles that were formulated in the early days of cryptography. Below we will review those principles and explain why they are still relevant today.
PCI Standards, like PCI PIN, PCI DSS or PCI P2PE always required strong cryptography alongside secure key management. It is hard to imagine, but, after so many years, insecure key management brings the same risks no matter which technology or cryptographic algorithms are being used. Although the technologies used to manage cryptographic keys significantly improved, the underlying principles have remained the same. These are the principles:
Fully understanding these principles is essential for clarifying the basics of key management.
One of the most fundamental principles of secure key management is split knowledge.
Core Idea: Split knowledge ensures that no single individual possesses the complete cryptographic key. Instead, the key is divided into multiple components or shares, each controlled by a different authorized custodian. Only when these components are combined during an authorized process the cryptographic key can be reconstructed or loaded into a secure system.
Why does this principle exist: The principle of split knowledge was introduced to address one of the most significant risks in cryptographic systems: insider compromise. If a single administrator could access or reconstruct a complete key independently, that individual could potentially decrypt sensitive data or authorize fraudulent transactions without detection. By dividing key material into separate components, split knowledge ensures that no single person can gain control of a cryptographic key.
In payment environments, split knowledge is commonly applied during:
Key components are typically distributed among multiple trusted custodians, each responsible for protecting their portion of the key.
The principle frequently mistaken for split knowledge is the concept of dual control.
Core Idea: Dual control requires that two or more authorized individuals must participate in sensitive cryptographic operations. These operations may include generating keys, loading keys into devices, exporting key material, or destroying keys.
Why does this principle exist: dual control addresses the operational risk that a single individual could manipulate key management processes without an oversight. Even if an individual does not know the full key because of split knowledge, they might still attempt to alter system configurations, load unauthorized keys, or bypass security controls. Requiring multiple participants ensures that sensitive actions cannot be performed silently or without verification.
In payment environments dual control is commonly enforced for:
This principle ensures that critical actions remain observable and auditable and controlled by more than one person.
As payment systems became more complex, the industry turned to specialized hardware for cryptographic protection. These Secure Cryptographic Devices (SCDs), like Hardware Security Modules (HSM), Key Loading Devices are designed to protect cryptographic keys and execute cryptographic functions only within the high secure trusted boundary of that device. If properly configured and secured, there is an assurance that cryptographic material managed by the SCD remains secure.
Why does this principle exist: In early computing systems, cryptographic keys were sometimes stored directly in the application memory or system files. This created opportunities for insiders, malware, or external attackers to extract sensitive key material.
Secure cryptographic devices were introduced to mitigate this risk by ensuring that keys remain protected within tamper-resistant environments. SCDs are used extensively across payment environments to perform almost all cryptographic key operations, including:
By isolating cryptographic operations within SCDs, organizations can significantly reduce the risk of cryptographic key material exposure.
Another important principle in secure key management is that cryptographic keys must exist only in approved forms. This principle governs how keys are stored, transmitted and loaded within secure environments.
Why does this principle exist: If cryptographic keys are handled in plaintext form, they can be easily copied, intercepted, or accidentally exposed through system logs, backups, or memory dumps. Approved key forms ensure that keys remain protected even when they move between systems with different security levels. Examples of approved key forms include protection by the key with equivalent key strength, stored within the SCD, or split under two or more key components or shares.
These mechanisms allow keys to be securely transferred without exposing the underlying key material. Approved key forms ensure that even when keys are stored outside cryptographic devices or transmitted across networks, the key material remains protected and can only be accessed by authorized cryptographic systems.
The principles we’ve reviewed have been used for decades to protect sensitive cryptographic key materials. But, even when organizations deploy secure cryptographic devices or enterprise key management platforms, those systems still depend on governance and operational controls implemented in the companies. Organizations must define a set of operational key management documented procedures in addition to the above key management principles:
The principles of secure key management we’ve reviewed above are clear and widely accepted by the payment industry. The PCI Security Standards Council, together with payment industry participants, has spent decades embedding these principles into PCI Standards and ensuring they are consistently reflected across different domains of the key management. However, while these principles are well defined, their practical implementation is often more complex than it initially appears.
Based on our experience as a PCI Assessor, the struggle with proper key management is clearly visible. We regularly observe non-compliance and control failures related to cryptographic key management, even in environments that have otherwise mature information security management system. These issues often have the objective reasons: complexity of modern cryptography infrastructures, unclear ownership of key management processes in hybrid and multi-domain environments, shared key management responsibilities spread across vendors and third-party service providers.
In the next article, we will explore these challenges in more detail. We will examine common findings observed during PCI assessments, typical mistakes organizations make when implementing key management controls and provide practical insight into how organizations can improve their key management practices with the upcoming PCI KMO Standard.
Our PCI Assessor team provides the technical guidance needed to secure your environment while minimizing your compliance overhead.
Learn more about our PCI Crypto Practice and get support from the most trusted team.