WithPCI Logo
WithPCI.com

3.7.3 Secure storage of cryptographic keys

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

3.7.3 Key-management policies and procedures are implemented to include secure storage of cryptographic keys used to protect stored account data.

Customized Approach Objective

Cryptographic keys are secured when stored.

Defined Approach Testing Procedures

3.7.3.a Examine the documented key-management policies and procedures for keys used for protection of stored account data to verify that they define secure storage of cryptographic keys.

3.7.3.b Observe the method for storing keys to verify that keys are stored securely.

Purpose

Storing keys without proper protection could provide access to attackers, resulting in the decryption and exposure of account data.

Good Practice

Data encryption keys can be protected by encrypting them with a key-encrypting key.

Keys can be stored in a Hardware Security Module (HSM).

Secret or private keys that can decrypt data should never be present in source code.

purpose

Securely delete account data that exceeds retention requirements.

compliance strategies

  • Secure deletion tools
  • Automated deletion routines

typical policies

  • Data Deletion Policy

common pitfalls

  • Incomplete deletion
  • Residual data remains

type

Technical Control

difficulty

Moderate

key risks

  • Data recovered after deletion

recommendations

  • Use certified secure deletion methods

Eligible SAQ

  • SAQ-D MERCHANT
  • SAQ-D SERVICE PROVIDER

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy