Skip to main content
banner image
venafi logo

Following a Major Attack, the PCI SSC Announces Securing Cryptographic Keys and Digital Certificates

Following a Major Attack, the PCI SSC Announces Securing Cryptographic Keys and Digital Certificates

August 26, 2014 | Christine Drake

With the rapid growth of threats that misuse keys and certificates, it’s not surprising that the Payment Card Industry Security Standards Council (PCI SSC) announced on Monday that Securing Cryptographic Keys and Digital Certificates is among the finalists selected for a 2015 Special Interest Group (SIG) project in support of the Payment Card Industry Data Security Standard (PCI DSS). Back in June, I posted a blog about our submission of a PCI SIG topic on Securing Cryptographic Keys and Digital Certificates. Now the acceptance of this PCI SIG as a finalist emphasizes how critical it is for organizations to protect key and certificates, which establish the trust on which businesses depend—securing data, keeping communications safe and private, and establishing trust between communicating parties.

Both organizations and Qualified Security Assessors (QSAs) will benefit from this SIG. We have increased our reliance on keys and certificates that protect communications and authorize and authenticate servers, devices, software, cloud, and privileged administrators and users. As for the PCI DSS, keys and certificates are critical to securing cardholder data, as well as all sensitive electronic information, and are specifically mentioned throughout the standard. But the PCI DSS requirements demand more visibility and security over keys and certificates than most organizations can deliver.

Most organizations have not fully remediated Heartbleed. Venafi research shows that 97% of G2000 public-facing servers are still vulnerable because keys and certificates haven’t been changed—and this doesn’t include the behind-the-firewall systems that have been a low priority for remediation.

Are you one of the doubters that don’t think you’ll become a victim? It looks like many G2000 organizations are. But odds are you’re already a victim—according to Ponemon Institute research, every major enterprise has been attacked using compromised keys and certificates in the last 24 months. So, I hope all of the doubters are getting converted to believers—the likelihood that you’ll be a victim of an attack on trust is very high and, without the right security in place, the impact even higher. Advanced Persistent Threats (APTs) that target keys and certificates such as APT1, Mask, Energetic Bear, Crouching Yeti, and Zombie Zero—just to name a few—underscore the importance of strong key and certificate security and remediation capabilities.

The open approach of the PCI DSS requirements provides flexibility to implementing organizations, which is helpful when working to secure unique business environments. But organizations subject to the PCI DSS and QSAs need more clarity on how to secure keys and certificates to establish a foundation of trust for an effective security program and a defense against today’s cyber threats.

We have two primary objectives for this SIG:

  • Develop the document PCI DSS Cryptographic Key and Digital Certificate Security Guidelines
  • Draft a compliance checklist which outlines the different security options to meet the PCI DSS requirements for keys and certificates

Venafi co-submitted the PCI SIG proposal on Cryptographic Keys and Digital Certificates with SecurityMetrics, a leading QSA. SecurityMetrics brings extensive experience to the SIG—they have helped over 1 million organizations manage PCI DSS compliance and/or secure their network infrastructure, data communication, and other information assets. We also have several other participants committed to supporting the SIG, including QSAs, vendors, and merchants in the Global 2000.

PCI DSS 2014 Community Meetings

So what’s next? The selected PCI SIGs will present at the 2014 PCI Community Meetings in North America (September) and Europe (October). An election will be held from October 13-23 and the PCI Participating Organizations will vote. The leading 2-3 SIG topics will become PCI SIG projects for 2015.

If you are a PCI Participating Organization, I hope you’ll vote for this important SIG, and even consider becoming one of the SIG participants. For more information, read the Venafi press release on our SIG for Securing Cryptographic Keys and Digital Certificates.

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Christine Drake
Christine Drake

Christine Drake writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more