3.7.9 Guidance for customers on secure key management

Defined Approach Requirements

3.7.9 Additional requirement for service providers only: Where a service provider shares cryptographic keys with its customers for transmission or storage of account data, guidance on secure transmission, storage and updating of such keys is documented and distributed to the service provider's customers.

Customized Approach Objective

Customers are provided with appropriate key management guidance whenever they receive shared cryptographic keys.

Applicability Notes

This requirement applies only when the entity being assessed is a service provider.

Defined Approach Testing Procedures

3.7.9 Additional testing procedure for service provider assessments only: If the service provider shares cryptographic keys with its customers for transmission or storage of account data, examine the documentation that the service provider provides to its customers to verify it includes guidance on how to securely transmit, store, and update customers' keys in accordance with all elements specified in Requirements 3.7.1 through 3.7.8 above.

Purpose

Providing guidance to customers on how to securely transmit, store, and update cryptographic keys can help prevent keys from being mismanaged or disclosed to unauthorized entities.

Further Information

Numerous industry standards for key management are cited above in the Guidance for Requirements 3.7.1-3.7.8.