3.6 Cryptographic keys used to protect stored account data are secured.
This requirement focuses on securing the cryptographic keys used to protect stored account data. It ensures that organizations have controls in place to protect cryptographic keys from disclosure and misuse.
Sub-requirements
- 3.6.1: Procedures to protect cryptographic keys
- 3.6.1.1: Additional requirement for service providers only
- 3.6.1.2: Secret and private keys used to protect stored account data
- 3.6.1.3: Access to cleartext cryptographic key components
- 3.6.1.4: Cryptographic keys are stored in the fewest possible locations
3.6. Cryptographic key management processes and procedures are fully documented and implemented.
Ensure all aspects of cryptographic key management are fully documented, assigned, and implemented for the protection of stored account data.
Key Risks
Frequently Asked Questions
What must be documented in key management?
Key generation, distribution, storage, rotation, destruction, and assignment of responsibilities.
How are keys generated securely?
Using FIPS/NIST-approved random number generators and secure processes.
How are keys distributed securely?
Using secure channels and dual control procedures.
How is key storage secured?
With HSMs or encrypted storage and strict access controls.
How are key management processes reviewed?
Through regular audits, reviews, and updates to documentation.
Common QSA Questions
Can you show evidence of your key management lifecycle?
Yes, we maintain logs and documentation for all key management activities.
How do you ensure keys are distributed and stored securely?
We use secure channels, dual control, and HSMs for all key management.
How do you handle key compromise or expiration?
Keys are rotated or destroyed immediately, and all affected data is re-encrypted as needed.
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy