Skip to main content
banner image
venafi logo

For the 2nd Year Running, PCI SSC Announces Securing Keys and Certificates a PCI SIG Finalist

For the 2nd Year Running, PCI SSC Announces Securing Keys and Certificates a PCI SIG Finalist

generic_blog_banner_image
September 2, 2015 | Kevin Bocek

There has been a dramatic increase in attacks that leverage keys and certificates, and the recent breadth and criticality of vulnerabilities, from Heartbleed to POODLE, underscore the importance of strong security and remediation capabilities. With the rapid growth of threats that misuse keys and certificates, it’s not surprising that the Payment Card Industry Security Standards Council (PCI SSC) announced today in its PCI Monitor weekly newsletter that Securing Cryptographic Keys and Digital Certificates is among the five finalists selected for a 2016 Special Interest Group (SIG) project in support of the Payment Card Industry Data Security Standard (PCI DSS).

This is the second year running that the PCI SSC has designated key and certificate security as a SIG finalist. Although the PCI Participating Organizations did not elect key and certificate security as a 2015 SIG last year, the PCI SSC has selected it as a finalist again—this time for the 2016 PCI SIGs—showing the council’s support for this important security and the need for a SIG in this area. Its acceptance for the second time emphasizes how critical it is for organizations to protect keys and certificates, which establish the trust on which businesses depend—securing data, keeping communications safe and private, and establishing trust between communicating parties.

This year the vulnerabilities in SSL and early TLS moved the PCI Council to eliminate their use under PCI DSS 3.1. However, to date, there has not been specific guidance on how to best implement and secure keys and certificates with detailed information on industry best practices and how these security elements interrelate for optimal protection.

Both organizations and Qualified Security Assessors (QSAs) will benefit from this SIG. We have increased our reliance on keys and certificates that protect communications and authorize and authenticate servers, devices, software, cloud, and privileged administrators and users. As for the PCI DSS, keys and certificates are critical to securing cardholder data, as well as all sensitive electronic information, and are specifically mentioned throughout the standard. But the PCI DSS requirements demand more visibility and security over keys and certificates than most organizations can deliver.

PCI SSC Special Interest Group Selection

Are you one of the doubters that don’t think you’ll become a victim? It looks like many G5000 organizations are. But odds are you’re already a victim—according to Ponemon Institute research, for the last four years running, every major enterprise has been attacked using compromised keys and certificates. So, I hope all of the doubters are getting converted to believers—the likelihood that you’ll be a victim of an attack on trust is very high and, without the right security in place, the impact even higher. Advanced Persistent Threats (APTs) that target keys and certificates such as APT 1, APT 18, Mask, POODLE, FREAK, Shellshock, and the Sony breach, as well as the Chinese certificate authority, CNNIC, involved in the issuance of malicious certificates, are just a few examples that underscore the importance of strong key and certificate security and remediation capabilities.

The open approach of the PCI DSS requirements provides flexibility to implementing organizations, which is helpful when working to secure unique business environments. But organizations subject to the PCI DSS and QSAs need more clarity on how to secure keys and certificates to establish a foundation of trust for an effective security program and a defense against today’s cyber threats.

We have two primary objectives for this SIG:

  • Develop the document PCI DSS Cryptographic Key and Digital Certificate Security Guidelines
  • Draft a compliance checklist which outlines the different security options to meet the PCI DSS requirements for keys and certificates

So what’s next? Video presentations of the selected PCI SIG finalists will presented at the 2015 PCI Community Meetings in North America (September) and Europe (November), and on the PCI SSC website. After the community meetings, an election will be held and the PCI Participating Organizations will vote. The leading 1-2 SIG topics will become PCI SIG projects for 2016.

We have several participants already committed to supporting the SIG, including QSAs, vendors, and merchants in the Global 2000. We hope that PCI Participating Organizations will follow the council’s show of support for key and certificate security for two years running and vote for this important SIG.

If you are the voting member of a PCI Participating Organization, vote for Cryptographic Key and Digital Certificate Security as a 2016 SIG and consider becoming one of the SIG participants.

Like this blog? We think you will love this.
executive man with forward looking glasses leaning up against a wall, self assured
Featured Blog

Why Is NIST SP 1800-16 So Important? [Think Executive Buy-In]

"The executive summary is a perfect tool to reach out to your executives and gain their sponsors

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection
Industry Research

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Kevin Bocek
Kevin Bocek

Kevin is Vice President of Security Strategy & Threat Intelligence at Venafi. He is recognized as a subject matter expert in threat detection, encryption, digital signatures, and key management, and has previously held positions at CipherCloud, PGP Corporation and Thales.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat