PCI Requirement 3.5.2 states, “Restrict access to cryptographic keys to the fewest number of custodians necessary.” There should be very few employees who have access to your organization’s cryptographic keys. Typically, only those deemed “key custodians” have this type of access. In order to comply with PCI Requirement 3.5.2, your organization needs to maintain strict access controls around who has access to cryptographic keys in order to prevent an unauthorized user from gaining access to the encryption/decryption keys.
Wherever keys reside, there needs to be strict control. Whether that’s in a safe, somewhere electronic, or backed up, an assessor will want to examine where your keys reside. An assessor will also want to see the list of users who have access to keys, and ensure that the list includes the fewest number of key custodians as possible.
If we’re encrypting cardholder data – or any other data for that matter – and somebody gains access to your encryption/decryption keys, chances are it’s game over. They can look to decrypt that data or gain access to it. PCI DSS Requirement 3.5.2 states that your organization needs to maintain strict access controls around who has access to these keys. There’s going to be several places, from an assessment perspective, that we look to see where these keys are stored. You might have them physically in a safe somewhere, we might look to see how you’re storing them electronically, we might ask how you’re backing them up. In any event, wherever these keys reside, you need to maintain strict control over those particular keys.