logo 9

PCI DSS 4.0 and Quantum Cryptography

Compiled and researched by Steve Monti SafeCipher.com

PCI DSS 4.0 introduces several new cryptographic requirements to enhance data security in line with evolving threats and technologies. Especially those related to Quantum Computing. These requirements include:

Requirement 12.3.3: Cryptographic Inventory

·       Maintain an up-to-date, documented inventory of all cryptographic ciphers and protocols used within the organization.

·       The inventory should include the purpose for which each cipher is used and where it is implemented within the infrastructure.

Requirement 12.3.3: Monitoring Industry Trends

·       Actively monitor industry trends regarding the continued viability of cryptographic cipher suites and protocols in use.

·       Specifically, organizations should track NIST’s updates on post-quantum cryptography standards and proposed timelines for deprecating quantum-vulnerable ciphers.

·       Assign formal responsibility for monitoring and document procedures for ongoing surveillance.

Requirement 12.3.3: Plan for Migration

·       Develop a comprehensive plan for migrating to post-quantum cryptography standards within a reasonable timeframe.

·       The migration plan should include milestones demonstrating progress towards full implementation of post-quantum cryptography by 2035.

·       Address potential vulnerabilities in cryptography beyond those posed by quantum computing and document corresponding mitigation strategies.

Note:Requirement 12.3.3 in PCI DSS 4.0 pertains to cryptographic agility, including aspects related to post-quantum cryptography (PQC). It becomes mandatory after March 31, 2025. This requirement underscores the necessity for organizations to prepare for the adoption of new cryptographic standards, including those designed to mitigate risks posed by quantum computing advancements.

These new requirements emphasize the importance of proactive measures to adapt cryptographic practices to emerging threats, particularly those related to quantum computing. By maintaining detailed inventories, monitoring industry developments, and planning for migration to post-quantum cryptography, organizations can enhance their resilience against evolving cyber risks and ensure compliance with PCI DSS 4.0 standards.