If you’ve been looking into what you need to do to pass a PCI audit, you know that one of the prime requirements for PCI Data Security is “Protect stored cardholder data”. Protection takes several forms. There are requirements specifying what data is allowed to be stored, and covering the need to establish policies limiting how long it is held on to and how it is disposed of, and of course requirements covering encrypting the data using strong cryptographic keys.

The requirements regarding the cryptographic keys are pretty specific. For instance, limiting access to the keys to the fewest people possible, using strong keys, keeping the keys in a secure location and splitting the keys so that at least two people are required to enter the key.

All of these requirements are encapsulated in Zecurion’s Zserver suite of products, and even expanded upon. For instance, the encryption is based on 256 bit AES, and the keys are built using a concept of a key quorum. The quorum allows the administrator to split the key into multiple parts (ie. 5), but only require a subset of those parts (as few as 2) to come together to rebuild the key on the server for decryption. That means that you are no longer at risk of having to keep multiple copies of each key part in case someone loses the smart card holding their piece of the key. The quorum also protects you from a single individual being able to lock out authorized users from the system.

So if you are serious about passing a PCI audit, you should be looking into tools like these to help you maintain compliance with their requirements.