Section 4: Encryption and cryptography
Article 6: Encryption and cryptographic controls
| Article | PCI DSS Requirement | Fortanix Solution | How Fortanix Helps |
|---|---|---|---|
| Art. 6(1) |
Develop, document, and implement a policy on encryption and cryptographic controls. |
Data Security Manager (DSM) Key Insight |
DSM: Centrally manage cryptographic keys, certificates, secrets, and more from one place. Key Insight: Discover and map cryptographic assets to identify vulnerabilities and ensure alignment with documented policies. |
| Art. 6(2)(a) |
Encrypt data at rest and in transit. |
Data Security Manager (DSM) | DSM provides FIPS 140-3 level 3 validated encryption (AES-256, TLS 1.3) for data at rest and in transit. Supports BYOK/HYOK for cloud workloads to enforce encryption standards. |
| Art. 6(2)(b) | Encrypt data in use or use protected environments. | Data Security Manager (DSM) Confidential Computing Manager |
Built on Confidential Computing (Intel SGX), Fortanix secures data in-use across any cloud application, storage, and on-prem environments by isolating critical processes in a secure enclave. |
| Art. 6(2)(c) |
Encrypt internal/external network connections. |
Data Security Manager (DSM) | Enforce TLS 1.3 for encrypted network traffic. Secure API communications (e.g., with external partners) using cryptographic protocols. |
| Art. 6(2)(d) |
Establish cryptographic key management rules (use, protection, lifecycle). |
Manage full cryptographic key lifecycle (generation, rotation, revocation, deletion) with role-based access controls from a single pane of glass for hybrid multicloud. Store keys in FIPS-validated HSMs, available on-prem and as SaaS, for secure protection. | |
| Art. 6(3) |
Select cryptographic techniques aligned with leading standards. |
Data Security Manager (DSM) Key Insight |
DSM implement NIST-approved algorithms (e.g., AES-256, RSA-4096). Key Insight lets you discover non-compliant algorithms (e.g., SHA-1) and recommend upgrades to meet standards. Monitor deviations and enforce mitigation measures. |
| Art. 6(4) |
Update cryptographic technology to address cryptanalysis developments. |
DSM automatically updates cryptographic libraries to address vulnerabilities (e.g., deprecated protocols) via monthly product releases. Key Insight scans for outdated algorithms/certificates and prioritizes remediation. |
|
| Art. 6(5) |
Record mitigation measures and provide explanations. |
DSM generates immutable audit logs of cryptographic operations, including key lifecycle events and policy changes. Key Insight provides automated compliance reports and dashboards to document mitigation actions. |
|
| Section 4: Encryption and cryptograph Article 7: Cryptographic key management |
|||
| Art. 7(1) | Manage cryptographic keys through their full lifecycle (generate, renew, store, backup, archive, retrieve, transmit, retire, revoke, destroy). | Data Security Manager (DSM) | Manage end-to-end key lifecycle (generation, rotation, backup, revocation, deletion) with automation. Securely archive keys in FIPS 140-2 Level3 compliant HSMs, available on-prem or as SaaS. Support multi-cloud key synchronization. |
| Art. 7(2) | Protect keys against loss, unauthorized access, disclosure, or modification. | Store keys in tamper-resistant, scalable HSMs. Enforces RBAC and MFA for key access. Encrypt keys in-transit and at-rest. Audits all access attempts. | |
| Art. 7(3) | Replace cryptographic keys if lost, compromised, or damaged. | Automate key rotation and replacement workflows. Securely back up keys for rapid recovery. Integrate with cloud services to re-encrypt data with your own new keys. | |
| Art. 7(4) | Maintain a register of certificates and certificate-storing devices for critical ICT assets. | Integrate with various CLM partners to provide and protect private keys for the certificates. CLM partners maintain a registry of certificates and cert storing devices. | |
| Art. 7(5) | Ensure prompt renewal of certificates before expiration. | Integrate with various CLM partners to provide and protect private keys for the certificates. CLM partners provide complete certificate lifecycle including discovery and renewal. | |
| Section 5: ICT operations security Article 11: Data and system security |
|||
| Art. 11(1) | Develop, document, and implement a data and system security procedure. | Data Security Manager (DSM) Key Insight |
DSM allows you to centralize encryption, access controls, and secure data workflows as part of the security procedure. Key Insight helps you discover and map cryptographic assets to ensure alignment with documented procedures. |
| Art. 11(2)(a) | Enforce access restrictions (per Article 21). | Data Security Manager (DSM) | Integrates with identity providers (SAML, LDAP, OAuth) for RBAC. Enforces MFA for accessing cryptographic keys, secrets, and sensitive data. |
| Art. 11(2)(b) | Define secure configuration baselines for ICT assets to minimize cyber risks. | Data Security Manager (DSM) Key Insight |
Key Insight helps you scan for misconfigured encryption protocols (e.g., weak TLS versions). DSM enforces encryption policies aligned with leading practices (e.g., FIPS 140-2/3). |
| Art. 11(2)(c) | Ensure only authorized software is installed. | Data Security Manager (DSM) | Restrict access to secrets/keys required for authorized software operations. Ensure cryptographic integrity of software via code-signing keys. |
| Art. 11(2)(d) | Protect against malicious code. | Data Security Manager (DSM) | While Fortanix does not directly handle anti-malware, DSM secures cryptographic keys/secrets and cryptographically signs code to validate code integrity, mitigating risks from compromised systems. |
| Art. 11(2)(e) | Use only authorised data storage media/systems. | Data Security Manager (DSM) | Encrypts/tokenizes data, ensuring it remains secure even if transferred to unauthorized media. Enforces policies to restrict decryption to approved systems. |
| Art. 11(2)(f)(i) | Remote management and data wipe for endpoint devices. | Securely manages secrets/keys on endpoint devices. If a device is lost/stolen, revokes access to keys, rendering encrypted data inaccessible. | |
| Art. 11(2)(f)(ii) | Use tamper-proof security mechanisms on devices. | Stores keys in secure enclaves (e.g., Intel SGX) to prevent unauthorized modification. Enforces RBAC/MFA to protect cryptographic operations. | |
| Art. 11(2)(f)(iii) | Restrict removable storage use to risk tolerance. | Encrypts data on removable devices using FIPS-validated algorithms. Access to decryption keys is controlled via RBAC, ensuring compliance with risk policies. | |
| Art. 11(2)(g) | Securely delete unneeded data. | Cryptographic erasure: Destroy encryption keys to render data permanently inaccessible. Logs deletion events for audit trails. | |
| Art. 11(2)(h) | Securely dispose/decommission storage devices. | Ensures data on decommissioned devices is irrecoverable by cryptographically shredding keys. Validates deletion via audit logs. | |
| Art. 11(2)(i) | Prevent data loss/leakage. | Encrypts/tokenizes sensitive data at rest, in transit, and in use. Unauthorized access to raw data is prevented even if devices are compromised. | |
| Art. 11(2)(j) | Secure teleworking/private devices. | Enforces confidential computing (e.g., secure enclaves) for remote data processing. Restricts access to keys/secrets via RBAC/MFA, ensuring secure teleworking. | |
| Art. 11(2)(k) | Ensure third-party ICT providers maintain resilience. | Data Security Manager (DSM) Key Insight |
DSM: Secures third-party integrations via BYOK/HYOK and encrypted APIs. Key Insight: Monitors third-party cryptographic assets (e.g., certificates, keys) for compliance with resilience standards. |
| Art. 11(3) | Align baselines with leading practices (e.g., standards). | Key Insight | Audits configurations against NIST and other standards. Recommends updates to deprecated protocols or algorithms. |
| Art. 11(4)(a-d) | Third-party service provider governance (vendor settings, roles, competencies). | Data Security Manager (DSM) | Enforces clear ownership of keys/secrets (financial entity retains control). Provides logs to verify third-party compliance with security roles/responsibilities. |
| Section 6: Network security Article 13: Network security management |
|||
| Art. 13(1) | Develop, document, and implement network security policies, procedures, and tools. | Data Security Manager (DSM) Key Insight |
DSM: Enforces encryption and access controls for network traffic. Key Insight: Discovers cryptographic assets (e.g., TLS certificates) to align network security with policies. |
| Art. 13(a) | Segregate/segment networks based on criticality, classification, and risk. | Data Security Manager (DSM) | Encrypts sensitive data flows between segregated networks (e.g., TLS 1.3). Restricts access to decryption keys based on network segmentation policies. |
| Art. 13(b) | Document network connections and data flows. | Key Insight | Discover and map cryptographic assets (e.g., certificates, keys) involved in network connections. Provides visibility into encrypted data flows. |
| Art. 13(c) | Use a dedicated network for ICT asset administration. | Data Security Manager (DSM) | Secure administrative access to cryptographic keys/secrets via RBAC and MFA. Encrypt traffic between administrative networks and other segments. |
| Art. 13(d) | Prevent unauthorized devices from connecting to the network. | Restrict access to network resources by enforcing certificate-based authentication (e.g., mutual TLS) for devices. | |
| Art. 13(e) | Encrypt network connections (corporate, public, wireless). | Enforce TLS 1.3 for encrypted network traffic. Provide FIPS 140-2/3 validated encryption for data in transit. | |
| Art. 13(f) | Design networks to ensure confidentiality, integrity, and availability. | Secure network traffic with encryption and integrity checks (e.g., HMAC). Protect keys used for network security in FIPS-validated HSMs. | |
| Art. 13(g) | Secure traffic between internal networks and external connections. | Encrypt API traffic with external partners using cryptographic protocols (e.g., TLS, AES-GCM). Support BYOK for cloud gateways. | |
| Art. 13(j) | Isolate subnetworks/components when necessary. | Encrypt data in isolated segments using unique keys. Restrict key access to authorized subnetwork components. | |
| Art. 13(k) | Implement secure baselines and hardening for network devices. | Validate network device configurations against cryptographic standards (e.g., NIST). | |
| Art. 13(l) | Terminate inactive sessions. | Enforce session timeouts for access to cryptographic keys/secrets. Integrate with SIEM tools to log session activity. | |
| Art. 13(m) | Define security measures in network service agreements. | Data Security Manager (DSM) | Encrypt data shared with third-party network providers. Monitor third-party compliance with encryption standards (e.g., TLS 1.3). |
| Section 6: Network security Article 14: Securing information in transit |
|||
| Art. 14(1a) | Ensure availability, authenticity, integrity, and confidentiality of data in transit. | Data Security Manager (DSM) | Enforce FIPS 140-2/3 validated encryption (e.g., TLS 1.3, AES-256) for data in transit. Ensure integrity via HMAC and authenticity via certificate-based mutual TLS. |
| Art. 14(1a) | Establish procedures to assess compliance with data protection requirements. | Key Insight | Scan systems and generate reports to validate compliance with encryption standards (e.g., NIST, GDPR). |
| Art. 14(1b) | Prevent/detect data leaks and secure transfers with external parties. | Data Security Manager (DSM) Key Insight |
Encrypt sensitive data shared externally using TLS or AES. Tokenize data to prevent exposure of sensitive PII. Restrict decryption to authorized systems via RBAC. |
| Art. 14(1c) | Implement, document, and review confidentiality/non-disclosure agreements. | Enforce access controls (RBAC/MFA) with DSM to encrypt data. Log all access attempts and data transfers for audit trails. Monitor adherence to confidentiality policies via automated reports with Key Insight. |
|
| Art. 14(2) | Design policies based on data classification and ICT risk assessment. | DSM allows you to apply encryption and tokenization policies aligned with data classification (e.g., higher-grade encryption for sensitive data). Key Insight maps cryptographic assets to risk levels. |
|
