PCI DSS is a mandatory security framework for all companies that store, process, or transmit credit card information. The PCI Security Standards Council (PCI SSC) developed a framework with multiple key requirements to ensure cardholder data remains secure. This article examines the details of the Payment Card Industry Data Security Standard (PCI DSS) surrounding the key requirement of data encryption.

Encryption Standards and Encryption Requirements

The following key PCI encryption requirements must be implemented to maintain compliance with the data protection standards.

  • Encrypt cardholder data such as Primary Account Numbers (PANs) when stored in databases, file systems, logs, or backups. This sensitive data also must be encrypted or rendered unreadable when transmitted over public networks.
  • Employ strong cryptographic algorithms such as AES, RSA, or ECC with secure key lengths.
  • Protect encryption keys with complete management and strict access controls.
  • Mask cardholder data when displayed on screens or in reports.
  • Encryption controls should be regularly tested with measures such as vulnerability scans and penetration testing.

Merchants and providers must comply with PCI DSS encryption requirements. Both entities share responsibility for ensuring cardholder data remains secure. Providers have to meet the following additional PCI DSS requirements.

  • Document shared responsibilities: Providers must supply clear documentation regarding which PCI controls they manage and which are the customers’ responsibility.
  • Environment isolation: Service providers must validate segment controls and ensure the regulated environment cannot be accessed by other customers.
  • Enhanced monitoring: Providers must implement measures such as intrusion detection to identify cybersecurity threats, failure detection to ensure the availability of systems containing sensitive data, and change monitoring.
  • Cryptographic architecture: Providers are responsible for securing customer encryption keys and enforcing strict key lifecycle management. They must document the cryptographic architecture and maintain separate tenant encryption environments.
  • Access governance: Providers are expected to implement strict access management and authentication controls. They should perform effective background screening and enforce workflow segregation to protect sensitive cardholder data.
  • PCI compliance validation: Providers typically require annual assessments by a Qualified Security Assessor (QSA).

Encryption Algorithms

Teams typically use multiple encryption algorithms to protect sensitive information and maintain PCI compliance.

  • The Advanced Encryption Standard (AES) is the recommended algorithm for meeting PCI encryption requirements. AES is a symmetric-key algorithm in which the same key is used for both encrypting and decrypting data. It transforms plaintext blocks into ciphertext by performing multiple rounds of cryptographic operations. AES can be implemented with different key sizes. AES-256, with a 256-bit key length, is the most commonly used variation.
  • RSA is primarily used for asymmetric key exchange. The algorithm is an asymmetric encryption algorithm that uses two related keys. A public key is used to encrypt data, while a private key is used to decrypt it. The public key can be shared openly, but access to the private key is controlled. Longer key lengths provide enhanced security; RSA-2048 is the recommended minimum.
  • Elliptic Curve Cryptography (ECC) is a modern asymmetric cryptographic algorithm that uses elliptic curve mathematics to generate public and private keys. ECC can achieve security levels equivalent to RSA with much smaller key sizes, making it a good choice for mobile and resource-constrained devices.
  • The Triple Data Encryption Standard (TDES) is a legacy, symmetric-key encryption algorithm. It is being phased out in favor of modern encryption protocols such as AES that offer stronger security and better performance. Companies using TDES should strongly consider migrating to a more modern solution.

Managing Encryption Keys

Teams must manage and protect encryption keys effectively to safeguard sensitive cardholder data. Organizations often use a dedicated physical or virtual Hardware Security Module (HSM) to generate, store, manage, and protect cryptographic keys. HSMs are commonly deployed as network-attached appliances, USB devices, PCIe cards, and virtual cloud solutions.

Key access must be logged with userids and timestamps for accountability and auditability. Keys must be rotated to meet company standards and PCI DSS compliance. PCI general requirements recommend annual rotation for data encryption keys (DEKs) and every two years for key encryption keys (KEKs).

Key Management Procedures

The following is an example of typical PCI encryption key management procedures.

  • Keys are generated by authorized personnel as needed using organizationally approved encryption tools and cryptographically secure random number generators (CSPRNGs). The keys should be created on approved platforms, in hardware security modules (HSMs), and in key management systems (KMSs).
  • Key access must be restricted to authorized users. The keys should be stored in an encrypted form, with key metadata including the key’s owner, its creation date, length, purpose, and rotation or expiration schedule. All key-related events, such as creation, access, rotation, and deletion, should be logged.
  • Teams should rotate keys to meet compliance requirements and company policy. Obsolete keys should be securely destroyed. Compromised keys should be revoked and replaced immediately to provide reliable security.

Index Tokens and Tokenization

Index tokens enable searchability while protecting sensitive, encrypted data. An index token is a non-sensitive surrogate value that represents sensitive data. The tokens are designed to support lookup and indexing operations without exposing regulated data.

Tokens are widely deployed in databases, search indexes, and application workflows to streamline operations and secure sensitive data. Typical uses of tokens include fast database indexing, separating operational identifiers from protected data, and reducing the scope of PCI DSS compliance.

Businesses strengthen their protection of payment card data by leveraging a combination of tokenization and reversible encryption. Tokenization should be employed to reduce PCI DSS scope and minimize exposure of sensitive data in applications that do not frequently require plaintext. Examples include payment card data processing and creating account identifiers.

Reversible encryption is useful for databases, backups, and full-disk encryption, where the original data is recovered regularly.

Encryption Practices and Access Controls

Businesses must restrict access to encryption keys with strict Identity and Access Management (IAM) policies. Only authorized personnel should be able to access and use the keys. A weak IAM posture exposes cardholder data to risks from external and internal threat actors.

Companies should implement least-privileged access control for key stores. This approach limits access to this essential information on a need-to-know basis. Teams should use multi-factor authentication for key administrators to protect sensitive data from credential compromises involving authorized personnel.

Teams should document their encryption protocols and publish them so they are accessible throughout the organization. Clear documentation eliminates confusion about the PCI encryption workflow and specifies which business roles require access to encryption keys.

PCI Encryption Decryption Controller and Chipset Driver

The encryption/decryption controller helps protect data. It is responsible for managing cryptographic operations as data moves through a system. The controller determines when data should be encrypted or decrypted, which keys are used, and how protected data flows throughout the environment.

Chipset driver dependencies can significantly affect the performance of encryption/decryption controllers. The chipset manages communication between the controller, CPU, memory, and other components. Missing, outdated, or incompatible chipset drivers can cause controllers to fail to initialize, exhibit degraded performance, or lose advanced features.

Teams should always perform firmware compatibility checks before driver updates to eliminate unintended consequences that could affect the encryption/decryption controller and the environment.

Update Drivers: Automatically, Device Manager, Manufacturer

Teams can eliminate a potential point of failure by automatically updating drivers rather than relying on manual processes. The automatic update process makes it easy for non-technical users to keep their drivers up to date and ensures optimal controller performance. The automatic updates system stabilizes and prevents the use of outdated drivers that may introduce performance issues.

Users must ensure they use the recommended driver update tools or processes. They should opt for native operating system functionality or vendor-supplied installation utilities.

Update via Device Manager

Users can update device drivers manually in Windows Device Manager using the following procedure.

  1. Open Device Manager.
  2. Expand the category containing the controller driver.
  3. Right-click the controller and select Update Driver.
  4. Choose to Search automatically for drivers.
  5. Install the driver and reboot the system.

Download Chipset Driver from the Manufacturer

  1. Press Windows + R.
  2. Type msinfo32.
  3. Record the system manufacturer, system model, and BaseBoard Product.
  4. Visit the manufacturer’s support site and download the driver for your OS version.
  5. Run the manufacturer’s installer as an Administrator.
  6. Follow on-screen prompts and steps.
  7. Reboot the system and verify the driver has been installed.

Device Manager Troubleshooting for Encryption Controllers

Use the following procedure to check the driver version in Device Manager.

  1. Open Device Manager.
  2. Expand the category containing the controller.
  3. Right-click the selected controller.
  4. Select Properties and open the Driver tab.
  5. Review the driver information.

You can roll back newly installed drives if they fail by following these steps.

  1. Open Device Manager.
  2. Expand the category containing the controller.
  3. Right-click the selected controller and choose Properties.
  4. Open the Driver tab.
  5. Select Roll Back Driver and confirm the activity.
  6. Restart the system if needed, and verify that the previous driver has been restored and that encryption services are operating normally.

If the Roll Back Driver option is not available, you must manually reinstall the previous good driver. Teams should always collect and save system event logs for further analysis after a driver failure.

Securing Data In Transit and At Rest

Organizations must protect regulated data in transit and at rest to meet PCI standards. Payment transactions typically involve leveraging public networks to transmit data. All public network traffic should be protected with point-to-point encryption provided by Transport Layer Security (TLS), ideally version 1.3. Teams can version 1.2 for compatibility, but versions 1.0 and 1.1 should be disabled.

Businesses must implement encryption at rest for databases that store cardholder data. The industry standard is AES-256, which we recommend to protect confidential data.

Teams must also ensure that backups of sensitive data are encrypted to prevent unauthorized access. Threat actors can use unencrypted backups to steal PCI-regulated data.

Performance, Challenges, and Trade-Offs

Decision-makers must understand that from the perspective of their IT environment, strong encryption is not free. Companies implementing PCI encryption may face performance degradation requiring more powerful computing capabilities. Encryption may add to existing processes that must be addressed effectively to maintain PCI DSS compliance.

The performance impacts of strong encryption include:

  • Increased CPU consumption;
  • Greater latency;
  • Slower storage access.

Symmetric encryption algorithms are faster and require fewer computational resources than asymmetric ones. Hardware security modules (HSMs) speed up secure key operations and are widely used in payment processing solutions.

Companies should test the impact of encryption in a test or staged environment that does not affect production systems. Teams can evaluate the effects of encryption on performance and latency to make appropriate modifications and avoid disrupting production workflows.

Organizations should adopt a similar mindset when integrating new PCI encryption processes or solutions into existing legacy environments. Companies will benefit from a methodical approach that protects cardholder data without compromising legacy system performance.

Compliance Audit Checklist

Companies may be audited to ensure they meet PCI DSS encryption requirements. Teams will need to provide appropriate evidence to demonstrate PCI DSS compliance and avoid fines or penalties. The following artifacts must be provided on request by auditors.

Teams must provide evidence of the cryptographic methods used to meet PCI encryption standards. This evidence includes detailing the systems used to encrypt data and the measures taken to protect encryption keys.

Organizations must make key management logs available for auditor review. The auditors must verify that only authorized personnel have access to encryption keys and that these keys are managed effectively to maintain compliance.

Teams should provide documentation for all cardholder data workflows to validate the scope of PCI encryption and compliance efforts. Auditors should be able to easily verify the flow of sensitive data through the system to ensure it is encrypted and used appropriately throughout the workflow.

FAQs and Resources

Teams should consider using encryption policy templates as a starting point for policy creation.

Users can find additional information about tokenization and point-to-point encryption at the following sites.

Tokenization:

P2PE options: