3.7 Key management processes and procedures for cryptographic keys used for encryption of stored account data
This requirement focuses on key management processes and procedures covering all aspects of the key lifecycle. It ensures that organizations have controls in place to manage cryptographic keys throughout their lifecycle, from generation to destruction.
Sub-requirements
- 3.7.1: Generation of strong cryptographic keys
- 3.7.2: Secure distribution of cryptographic keys
- 3.7.3: Secure storage of cryptographic keys
- 3.7.4: Cryptographic key changes for expired keys
- 3.7.5: Retirement, replacement, or destruction of cryptographic keys
- 3.7.6: Split knowledge and dual control for manual key management operations
- 3.7.7: Prevention of unauthorized substitution of cryptographic keys
- 3.7.8: Formal acknowledgment of key-custodian responsibilities
- 3.7.9: Guidance for customers on secure key management
3.7. Account data retention and disposal policies are implemented and enforced.
Ensure account data is retained only as long as necessary and securely deleted when no longer needed.
Control Types
Key Risks
Frequently Asked Questions
Why is data retention and disposal important?
Limiting data retention reduces risk and exposure in the event of a breach.
How should data retention policies be enforced?
Through automated deletion routines, regular audits, and staff training.
What is required for data deletion verification?
Documented evidence that data was deleted, such as logs or audit reports.
How are exceptions to retention policies managed?
Through documented approval processes and regular review of exceptions.
Who should be trained on retention and disposal policies?
All personnel who handle account data or manage data storage systems.
Common QSA Questions
Can you provide your data retention and disposal policies?
Yes, we have documented policies that define retention periods and secure deletion processes.
How do you verify that data deletion is successful?
We conduct periodic audits and maintain logs of all deletion activities.
How are exceptions to data retention policies handled?
Exceptions require management approval and are reviewed regularly.
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy