Think about those times when you’ve hosted a gathering. No matter if it was at your house or elsewhere, you probably worried about cleaning up beforehand, ensuring all the hors d'oeuvres were ready, that you had enough seating for every guest–in other words, you worried about being fully prepared.
It’s a slightly different experience with audits. While there's no hors d'oeuvres, the concept of preparing for and receiving “guests” is the same for on-site visits that are necessary with most, if not all, compliance reviews.
That need for on-site visits especially extends to PIN and P2PE assessments, because for these kinds of security reviews, there’s often a lot for your assessors to come in and observe.
The stress of party planning may be something you have to cope with alone, but we want to alleviate the anxiety you may feel if you’re thinking of investing in this assessment. To do that, we’re going to break down what you should expect and prepare for when bringing in a third party to evaluate your controls surrounding PIN and P2PE data.
We’d know, because we have performed these on-site visits before and understand exactly what we have to note each time when assessing these controls.
With this basic checklist of sorts in hand, you’ll be able to internally prepare the facets of your environment ahead of your assessment. It'll help you feel more comfortable when your third party comes through your door.
Preparing Your Secure Rooms for Your On-Site Visit
Defining a Secure Room
When it comes to PIN and P2PE assessments, the big ticket item for on-site visits will be your secure rooms. For the sake of clarity, when we reference a “secure room” in this article, we mean any room where a Secure Cryptographic Device (SCD) is present:
- That can encrypt a key, generate a key, or load a key;
- That produces cryptograms; or
- Where clear-text keys or key components are kept.
What to Prepare for an On-Site Review of a Secure Room
Within your secure room(s), basic elements to have ready for your assessor to review, include but are not limited to the following:
- Dual Control - Your assessor will review that you have dual control over:
- Access to HSMs or SCDs used for the generation or loading of cryptographic keys used at points of interaction (POI).
- Access to devices which perform application signing.
- Application signing.
- Manual key-encryption functions.
- Input or output of clear-text keys or key components.
- Physical Controls - Your assessor will ensure that:
- The room is “enclosed on all sides (including ceiling and flooring areas) using techniques such as true floor-to-ceiling (slab-to-slab) walls, steel mesh, or bars.”
- There is a solid core door or steel door to the room that also does not expose the hinges to the outside.
- Windows, if present, prevent observation of the room, are locked, and will trigger alarms if opened or tampered.
- There are access controls that enforce dual-access requirements and prevent pass-back.
- An alarm sounds if any single individual resides alone in the room for more than 30 seconds.
- There is secure destruction of media containing keys or key components
- Equipment Checks - Your assessor will perform:
- Visual inspections of systems and cabling prior to use.
- A review of safe contents and inventory logs.
- Video Surveillance - Your assessor will check that your video surveillance system:
- Records events during dark periods.
- Is monitored on a continuous basis (24/7).
- Securely stores footage.
- Archives/stores the most recent 45 days.
- Is placed to not record key outputs or logical inputs for access to SCDs.
Other Elements to Prepare for Your On-Site Visit
Of course, you may manage different parts of transactions, and different things may require more than just an evaluation of your secure room. To provide more specific insight, we’re going to outline the extent of review required during on-site visits for some of the more common scenarios for organizations involved in these transactions.
Different strokes for different folks, but if any of the following sound like your organization, you’ll need to prepare the items in the additional lists ahead of your assessor’s visit.
On-Site Visits For Organizations That Outsource Key-Injection and Maintain a Secure Room for Key Management and Key Conveyance
If this sounds like you, your on-site review will pertain entirely to your secure room where personnel directly access an HSM for key management functions. The review will cover:
- Physical access controls to the room housing the HSMs and ancillary equipment
- Physical access control to safes where key custodian equipment or material is stored
- Logical access to equipment
- Video surveillance
- Access logs
- Demonstrations of key management activity, including:
- Key generation under dual control where clear-text outputs are present
- Key loading
- Secure storage of key components
- Destruction of keys and key components
On-Site Visits For Certificate and Registration Authorities (CA/RA)
If you are a CA/RA, prepare also for a review of the three physical tiers at your secure facility. The definitions for each of these and associated reviews are:
- Level One Barrier – The entrance to the facility.
- Your assessor will want to see a guarded entrance, relevant physical controls, and logbook in place for personnel entering the facility.
- Level Two Barrier – The entrance beyond the foyer/reception area to the CA facility.
- Your assessor will observe the access controls for designated staff and visitors, access logs, and video surveillance.
- Level Three Barrier – Access to the physically secure, dedicated room housing the CA and RA database and application servers and cryptographic devices.
- Reference the section above “What to Prepare for an On-Site Review of a Secure Room” for details on this evaluation.
On-Site Visits For Organizations That Provide a Key-Injection Facility (KIF) as a Component Provider
Given the nature of key injection–i.e., incredibly important to transactions and just as delicate regarding security–if you provide this service, your assessor will perform an additional significant review of other physical controls and operations while on-site.
Not only will you have to ensure that everything in the above secure room checklist is aboveboard, but you’ll also need to prepare the following for your KIF:
- Physical controls over POI that:
- Are waiting key injections;
- Have keys injected and are awaiting deployment;
- Were returned for rekeying; and
- Contain errors and are awaiting evaluation, destruction, or return to the vendor.
- Inventory management of POI;
- Dual control over devices which perform key injection;
- Logs of key loading activities; and
- Video surveillance.
**Note: While exceptions can be allowed for controls typically reviewed on-site to be reviewed remotely, there are few permitted where a KIF is concerned, as security controls prevent cameras and external computing equipment from being present in sensitive areas.
How to Prepare for Observations of Key Management Operations
Regardless of what kind of secure facility you have, it’s always best to include a demonstration of key management operations during your on-site visit as well.
Because higher level keys or the generation of key components may not be needed for business operations, live demonstrations will need to be performed as prescribed by the PIN and P2PE standards. The processes that must be observed include:
- The generation for higher-level and lower-level keys
- Key conveyance
- Use of tamper-evident authenticatable (TEA) packaging
- Shipping via multiple channels to demonstrate that key components are not conveyed using the same communication channel
- Use of out of band notifications
- Communications with the organization receiving the key components
- Review of TEA packaging
- Key component storage
- Communications with the organization that sent key components
- Key loading from key components
- The destruction of keys and key components
- Performing key backups
Next Steps to Take Before Your On-Site Visit
The most significant difficulty for organizations is not knowing what will be observed, but now you have a more complete picture of what to expect and what areas will be examined when the time comes. For more information, the PIN and P2PE security standards themselves state what requires observations or demonstrations, which should reveal any mystery surrounding your upcoming on-site visit completely.
Of course, the compliance industry remains cognizant of concerns regarding the ongoing pandemic. As such, the PCI SSC has provided guidance on procedure during these unprecedented times, including the possibility of fully remote assessment or a combination of remote and on-site, where the latter only pertains to portions which cannot be done remotely (such as with the aforementioned KIF).
But in regard to on-site visits, the good news is that your assessor can make a single visit to physical locations and simultaneously review the details for multiple standards should you need that–oftentimes, we see site visits paired for both OCI and 3DS, as well as PIN and P2PE.
To learn more about how to prepare yourself best ahead of these assessments, read these articles to simplify these processes for you further:
- How to Prepare for a PIN Assessment
How to Build 3 Key Encryption Hierarchies and Streamline Your PIN & P2PE Process
About the AuthorMore Content by Sully Perella