3.7.3 Secure storage of cryptographic keys
Defined Approach Requirements
3.7.3 Key-management policies and procedures are implemented to include secure storage of cryptographic keys used to protect stored account data.
Customized Approach Objective
Cryptographic keys are secured when stored.
Defined Approach Testing Procedures
3.7.3.a Examine the documented key-management policies and procedures for keys used for protection of stored account data to verify that they define secure storage of cryptographic keys.
3.7.3.b Observe the method for storing keys to verify that keys are stored securely.
Purpose
Storing keys without proper protection could provide access to attackers, resulting in the decryption and exposure of account data.
Good Practice
Data encryption keys can be protected by encrypting them with a key-encrypting key.
Keys can be stored in a Hardware Security Module (HSM).
Secret or private keys that can decrypt data should never be present in source code.
purpose
Securely delete account data that exceeds retention requirements.
compliance strategies
- Secure deletion tools
- Automated deletion routines
typical policies
- Data Deletion Policy
common pitfalls
- Incomplete deletion
- Residual data remains
type
Technical Control
difficulty
Moderate
key risks
- Data recovered after deletion
recommendations
- Use certified secure deletion methods
Eligible SAQ
- SAQ-D MERCHANT
- SAQ-D SERVICE PROVIDER
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy