PCI DSS Audit – Crypto Examples

These PCI DSS audit crypto examples are drawn from our own research on the subject. For more detailed information, download our PCI DSS case study.

Payment Card Industry Association Data Security Standard Audits

Payment Card Industry Association Data Security Standard (PCI-DSS) is an information security standard entities must adhere to in order to process cardholder data for the major payment card schemes. Compliance is audited at least every 12 months, with the audit regime depending on the size and function of the entity.

The PCI-DSS Standard, now in version 3.2, contains more than 200 sub-points that address various organizational and technical aspects of how the entity must organize its information security. For all entities, the compliance process is extremely costly, while successfully passing the audit can be business-critical.

Among the 89 technical requirements about a quarter of the total (22) concern cryptography. Of those, 21 can be treated by Cryptosense Analyzer.

PCI DSS audit crypto examples

In the 205 sub-points of the PCI-DSS standard, we can identify two types of requirement: A requirement on processes, to be verified by interviews with personnel or by watching processes in action. And a technical requirement, to be verified by inspecting technical artifacts such as code or configuration files. Applying these criteria to the 205 sub points we identify 116 procedural requirements and 89 technical requirements.

Here are some examples of how Cryptosense Analyzer can be used to fulfill these compliance obligations.

Requirement 3.5.1

Section 3 of PCI-DSS concerns the protection of cardholder data: 9 out of 12 requirements in this section concern cryptography, all can be treated using Analyzer. For example:

3.5.1 Maintain a documented description of the cryptographic architecture that includes:
Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date; description of the key usage for each key; inventory of any HSMs and other SCDs used for key management.


Cryptosense Analyzer produces a full cartography of the cryptography used by an application including all the operations, protocols, and keylengths. Additionally, Analyzer reports detail key usage and determine whether the keys were used and stored in a secure way. Cryptosense Analyzer for PKCS#11 captures details of the operations of HSMs and can report on the keys stored as well as the security of the HSM’s configuration.

Requirement 6.5.3

Requirement 6 in PCI-DSS covers the development and maintenance of secure systems and applications. Of 16 technical requirements in this section, 7 involve cryptography and all are treated by Cryptosense Analyzer. For example:

6.5.3 Examine software-development policies and procedures and interview responsible personnel to verify that insecure cryptographic storage is addressed by coding techniques that:
Prevent cryptographic flaws. Use strong cryptographic algorithms and keys.


Cryptosense Analyzer verified all cryptographic operations carried out by an application to ensure only strong algorithms are used and cryptographic flaws are avoided.

Detect non-compliances before an audit without manual analysis

Cryptography plays a major and growing part in PCI-DSS compliance. Cryptosense Analyzer covers almost all the crypto-related requirements. These account for 24% of the total technical requirements that must be satisfied for an audit. They are among the most difficult and time-consuming to verify by hand. Cryptosense Analyzer therefore represents a strong return on investment thanks to its ability to detect non-compliances before an audit and provide reports that help give evidence that technical requirements are met.