Ctrl + K

3.7.2 Secure distribution of cryptographic keys

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

3.7.2 Key-management policies and procedures are implemented to include secure distribution of cryptographic keys used to protect stored account data.

Customized Approach Objective

Cryptographic keys are secured during distribution.

Defined Approach Testing Procedures

3.7.2.a Examine the documented key-management policies and procedures for keys used for protection of stored account data to verify that they define secure distribution of cryptographic keys.

3.7.2.b Observe the method for distributing keys to verify that keys are distributed securely.

Purpose

Secure distribution or conveyance of secret or private cryptographic keys means that keys are distributed only to authorized custodians, as identified in Requirement 3.6.1.2, and are never distributed insecurely.

purpose

Monitor storage locations for account data to ensure retention and disposal policies are followed.

compliance strategies

Automated data discovery
Periodic audits

typical policies

Data Monitoring Policy

common pitfalls

Unknown storage locations
Missed data during deletion

type

Technical/Process Control

difficulty

Moderate

key risks

Data left in unmonitored locations

recommendations

Use data discovery tools for regular scans

Eligible SAQ

SAQ-D MERCHANT
SAQ-D SERVICE PROVIDER

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy

Please enable JavaScript to view the comments powered by Disqus.Alternatively, you can view comments at our Disqus forum.

Link copied to clipboard!