AWS CloudHSM and PCI DSS Requirement 3 Explained

In today’s digital landscape, the protection of sensitive data is crucial, especially in the payment card industry. AWS Hardware Security Modules (HSMs), including AWS CloudHSM, are commonly used for key encryption, providing a secure, compliance-focused solution to protect sensitive data, including cardholder data. This is a critical aspect for businesses seeking to achieve PCI DSS compliance.

What is key encryption and why does key management matter?

Key encryption involves securing cryptographic keys used for data encryption to ensure that unauthorized parties cannot access or misuse sensitive data. When dealing with payment card data, PCI DSS Requirement 3 focuses on protecting stored account data, including the Primary Account Number (PAN) and expiration dates, using strong encryption techniques and appropriate key management controls. Sensitive authentication data, such as Card Verification Values (CVV), is subject to stricter PCI DSS rules and must be handled carefully.

For PCI DSS HSM requirements, the important question is not only whether encryption is used, but how encryption keys are generated, stored, separated, rotated, accessed and audited.

AWS HSM provides a robust solution to manage encryption keys securely by ensuring that these keys are stored, protected, and used within the bounds of the highest security standards.

How AWS HSM helps with Key Encryption

AWS CloudHSM is a hardware security module service that allows customers to generate, store and manage cryptographic keys. AWS HSMs offer a high level of physical and logical security, helping organisations support compliance with a variety of security standards, including PCI DSS.

1. Key Storage and Protection:

   • AWS HSMs store keys in FIPS 140-3 Level 3 validated hardware devices, ensuring that cryptographic operations such as key generation, signing and encryption occur within the secure boundary of the hardware, making it extremely difficult for unauthorized users to access the keys.

2. Separation of Keys:

   • Key-encrypting keys (KEKs) are stored separately from the data-encrypting keys (DEKs). AWS HSM ensures that the KEKs are used to protect DEKs and are not exposed to unauthorized access, providing an additional layer of protection for sensitive data.

3. Encryption of Sensitive Data:

   • AWS HSM can be configured to encrypt cardholder data stored in systems, databases, or files. With AWS HSM and appropriate encryption protocols, businesses can protect cardholder data both at rest and in transit, supporting PCI DSS requirements for strong cryptography and secure key management.

4. Key Management:

   • AWS provides key management tools integrated with HSM to ensure proper lifecycle management of cryptographic keys. This includes automated key rotation, lifecycle tracking, and access logging, which are essential for maintaining PCI DSS compliance.

Compliance with PCI DSS Requirement 3

PCI DSS Requirement 3 focuses on the protection of stored account data, specifying that sensitive data, including cardholder data (CHD), must be encrypted using strong encryption methods. The specific requirements for key management include:

1. Requirement 3.4: Encrypt stored cardholder data using strong cryptography and security protocols.

2. Requirement 3.6: Maintain strict control over cryptographic keys, including limiting access to the fewest custodians necessary, storing keys separately, and ensuring that key-encrypting keys are at least as strong as the data-encrypting keys they protect.

Here’s how AWS HSM helps in meeting these key requirements:

1. Encryption and Key Management: AWS CloudHSM provides FIPS 140-3 Level 3 validated key protection for cryptographic keys used to encrypt cardholder data. It ensures that key generation, storage and cryptographic operations are handled inside dedicated HSM hardware with strict access control.

2. Key Separation and Control: As per PCI DSS Requirement 3.6, AWS HSM helps maintain the separation of key-encrypting keys from data-encrypting keys, ensuring that keys are stored securely in the fewest possible locations and that access is strictly controlled.

3. Key Rotation and Expiry: AWS HSM can automate the process of rotating encryption keys at regular intervals, ensuring compliance with the PCI DSS requirement that keys should be refreshed periodically to reduce the risk of compromise.

Key Features of AWS HSM for PCI DSS Compliance

• FIPS 140-3 Level 3 Validation: AWS CloudHSM provides FIPS 140-3 Level 3 validated hardware security modules, meeting stringent security requirements for cryptographic key protection in regulated environments. This provides a strong hardware-backed foundation for PCI DSS key management.

• Separation of Duties: AWS HSM allows businesses to implement the principle of least privilege by limiting access to cryptographic keys and ensuring that only authorized personnel can manage them.

• Key Management Integration: With AWS Key Management Service (KMS) and CloudHSM integration, users can manage and control encryption keys, track their usage, and ensure that key policies align with PCI DSS requirements.

• Automated Key Rotation: AWS HSM supports the automated rotation of keys, reducing the risk of key compromise and maintaining compliance with PCI DSS key management requirements.

• Compliance Audits: AWS HSM logs all cryptographic operations and key usage, providing audit trails required for PCI DSS audits. These logs can be reviewed to ensure that key management practices are being followed correctly.

How to Be Compliant to PCI DSS Requirement 3 with AWS HSM

To ensure PCI DSS compliance with AWS HSM, follow these steps:

1. Implement Strong Encryption: Use AWS HSM to manage and store encryption keys for cardholder data, ensuring that all sensitive information is encrypted both at rest and in transit.

2. Ensure Separation of Keys: Store key-encrypting keys separately from data-encrypting keys within AWS HSM to maintain the integrity and security of sensitive data.

3. Limit Key Access: Ensure that access to cryptographic keys is restricted to the minimum number of custodians necessary, and that all key management activities are logged for audit purposes.

4. Regularly Rotate Keys: Implement automated key rotation policies using AWS HSM to comply with PCI DSS’s requirement for regular key changes to minimize risks.

5. Conduct Annual Audits: Regularly review and audit key management processes and ensure that AWS HSM logs are available for audits to verify compliance with PCI DSS.

Conclusion

AWS HSM provides a robust and secure solution for managing cryptographic keys in a way that supports PCI DSS Requirement 3. By using AWS CloudHSM, businesses can strengthen the protection of encryption keys, reduce the risk of unauthorized access and support stronger control over cardholder data.

Additionally, AWS HSM’s FIPS 140-3 Level 3 validated hardware, key rotation capabilities and audit trail features support PCI DSS HSM requirements, PCI key management and PCI encryption key management. These controls help organisations align their key management processes with PCI DSS and other industry security requirements.

For more information on AWS CloudHSM, visit the official AWS CloudHSM page.

For organisations that need broader support with PCI DSS scoping, documentation and remediation, nabu provides PCI DSS compliance support for payment environments.

Need PCI DSS guidance beyond scanning? Contact nabu to discuss your compliance requirements.

References:

1. AWS CloudHSM

2. PCI DSS v4.0.1 Requirement 3