3.6.1.3 Access to cleartext cryptographic key components
Defined Approach Requirements
3.6.1.3 Access to cleartext cryptographic key components is restricted to the fewest number of custodians necessary.
Customized Approach Objective
Access to cleartext cryptographic key components is restricted to necessary personnel.
Defined Approach Testing Procedures
3.6.1.3 Examine user access lists to verify that access to cleartext cryptographic key components is restricted to the fewest number of custodians necessary.
Purpose
Restricting the number of people who have access to cleartext cryptographic key components reduces the risk of stored account data being retrieved or rendered visible by unauthorized parties.
Good Practice
Only personnel with defined key custodian responsibilities (creating, altering, rotating, distributing, or otherwise maintaining encryption keys) should be granted access to key components.
Ideally this will be a very small number of people.
purpose
Store cryptographic keys securely.
compliance strategies
- HSMs, encrypted key stores
- Access controls
typical policies
- Key Storage Policy
common pitfalls
- Keys stored in plaintext
- No access controls
type
Technical Control
difficulty
High
key risks
- Key theft from insecure storage
recommendations
- Store keys in HSMs or encrypted files
Eligible SAQ
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy