The individual crypto requirements for PCI aren't going to help you very much as they are the following:
3.5 Protect cryptographic keys used for encryption of cardholder data from disclosure and misuse. 3.6 Fully document and implement all appropriate key management processes and procedures for cryptographic keys used for encryption of cardholder data. The NIST guide (SP800-57) is a little better depending on your current crypto knowledge. Also, unless you have specific needs to be FIPS 140 compliant, buy the non-fips version of hardware/software. It will save you a lot. 2009/3/22 Jason Wood <[email protected]> > Thanks for the reply guys. I've taken John's idea and used the NIST guide > as a reference while following PCI's individual crypto requirements. So far > its going ok. Chris, your point is well taken about the technology to back > up the process. I'm trying to tackle the process right now, but I'm > checking out HSMs too. There's a lot to do and this is only one of them. > > Thanks for the help. > > Jason > > 2009/3/21 Chris Biettchert <[email protected]> > > What type of application is it? Key management policies are great but you >> also need to be sure that the system is designed/developed to withstand >> attacks. >> >> I would start by using well known and trusted implementations of crypto >> libraries. Keyczar can simplify the implementation and help you avoid >> errors. Since Steve Weis, Ben Laurie, etc worked on it, I would be more >> confident in using it than rolling your own crypto wrapper. You will also >> probably want to purchase an HSM. There are several vendors and price really >> depends on feature set/required load. If this is going to be used to encrypt >> e-commerce transactions or someting similar, expect to pay quite a bit to >> get an HSM that can keep up with the load but a smaller HSM should be within >> budget of most projects. >> >> 2009/2/19 John Fiedler <[email protected]> >> >> Hi Jason, >>> >>> You should take a peek at the PCI Requirements, they have some decent >>> requirements for companies handling keys used to encrypt credit card >>> numbers. This might not be exactly what your looking for what it might help >>> some. >>> >>> >>> https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html >>> Look at requirements 3.6.x >>> >>> John >>> >>> 2009/2/18 Jason Wood <[email protected]> >>> >>>> Hi all, >>>> I'm doing some reading on doing key management for a project and was >>>> wondering what has worked for others. I'm currently reading my way through >>>> NIST's guidelines. Does anyone have a document, book, paper, etc that >>>> helped them build a secure key management process? >>>> >>>> Thanks, >>>> Jason >>>> >>>> _______________________________________________ >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>>> >>> >>> >>> >>> -- >>> John >>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
