PCI provides guidance on interpretation of its requirements for secure card production and personalization for magnetic strip and EMV integrated chip cards via its FAQs, published periodically. Recently (July, 2014), a question was asked as follows:
Can vendor and issuer keys exist at another site, such as for subcontracted card production activities, or for disaster recovery purposes?
While PCI answers this question for general operational conditions, it is the following specific comment that concerns this discussion:
However, copies of the HSM’s master file key cannot exist off site in any scenario. Storage of keys is a personalization activity so it must take place in the HSA, i.e. at the approved site.
Presumably, “master file key” can refer to the HSM LMK (Local Master Key) used to encrypt export of keys generated in the HSM. While it is understandable that separate (physically) personalization bureaus should utilize distinct LMKs for their HSMs, the practicality of this for DR (Disaster Recovery) sites is questionable.
By definition, DR sites are provisioned so that operational status of a personalization bureau can be maintained should the primary site go down for any reason. Master keys and certificates, used for generation of cardholder data needed for personalization, are encrypted under the LMK of the resident HSM. If a disaster occurs and a backup site needs to take over the workload, it is highly desirable to be able to duplicate the environment of the primary site. This includes an HSM with the same LMK as the primary site so that the prepared data records, and software setup for data processing, can proceed both quickly and seamlessly.
The stated PCI position, above, would seem to preclude this. Keys would have to be exported from the primary site to the backup site under a shared ZCMK. While this is straightforward, the software setup for data processing will have to be setup separately in the backup site in a manual, two-step process. This is neither immediate nor seamless.
Perhaps the need is for more definition from PCI of what constitutes an “HSM master key file”. Some HSM manufacturers provide for the LMK to be provided in components, each of which is kept in a tamper resistant, tamper evident, secure container (secure smart card), much like the HSM itself. This methodology is very different from clear text components held on paper or electronic media and secured via physical control to a mechanical vault. When physical and logical security is applied to LMK components, as with the smart card approach, does this provide sufficient distinction so that the same LMK can be applied to a DR site, with no compromise in security? This is a desirable operational goal for such a scenario.
For more of Dave's thoughts on what to expect in the electronic payment industry next year, click on the link for an on-demand replay of the IT GRC Forum-sponsored panel discussion "Top Security Guidelnes for EMV and Mobile Payments in 2015."
Press the button below for a free trial of Prime Factors' Bank Card Security System (BCSS) for payment card key management and personalization data preparation.