221 – Fully document and implement all key management processes and procedures for keys used for encryption of cardholder data

Bug 221 - Fully document and implement all key management processes and procedures for keys used for encryption of cardholder data

Summary: Fully document and implement all key management processes and procedures for ...

Status:	CONFIRMED

Alias:	None

Product:	E3
Classification:	Unclassified
Component:	payment (show other bugs)
Version:	---
Hardware:	All All

Importance:	P2 normal
Target Milestone:	---
Assignee:	Richard Harms
QA Contact:

URL:
Keywords:

Depends on:
Blocks:	219
	Show dependency tree / graph

Reported:	2006-09-10 14:27 CDT by Richard Harms
Modified:	2017-07-15 11:04 CDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Richard Harms 2006-09-10 14:27:57 CDT

3.6 Fully document and implement all key management processes and procedures for keys used for 
encryption of cardholder data, including the following: 
3.6.1 Generation of strong keys 
3.6.2 Secure key distribution 
3.6.3 Secure key storage 
3.6.4 Periodic changing of keys  
â€¢ As deemed necessary and recommended by the associated application (for example, 
re-keying); preferably automatically 
â€¢ At least annually. 
3.6.5 Destruction of old keys 
3.6.6 Split knowledge and establishment of dual control of keys (so that it requires two or three 
people, each knowing only their part of the key, to reconstruct the whole key) 
3.6.7 Prevention of unauthorized substitution of keys 
3.6.8 Replacement of known or suspected compromised keys 
3.6.9 Revocation of old or invalid keys 
3.6.10 Requirement for key custodians to sign a form stating that they understand and accept 
their key-custodian responsibilities.