PCI Requirement 3.5.4 – Store Cryptographic Keys in the Fewest Possible Locations

by Randy Bartels / July 28th, 2017

PCI Requirement 3.5.4 states, “Store cryptographic keys in the fewest possible locations.” Reducing the amount of locations where cryptographic keys are stored helps your organization to track and monitor all key locations. If you have 100 locations, your organization would have to maintain strict control over 100 locations, which could lower the quality of control and increase the chance of unauthorized exposure. Minimizing the amount of locations to places that are necessary helps decrease the potential for an attack.

It’s not the assessors job to determine whether or not you’re really storing the cryptographic keys in the fewest possible places; but it is our job to ask you what the reason is for storing a key in the places that they are in. We may ask, “If you have it in 3 locations, why can’t you get away with 2 locations?” At some point, your answer will be your business justification, like, “Because that would render a high risk to our environment.” Assessors are looking to see that you’ve done your due diligence to reduce the amount of locations where your cryptographic keys reside. During the assessment, your assessor will also, “Examine key storage locations and processes to verify that the keys are stored in the fewest possible locations.”

“We want to limit the places that you store your encryption keys to really the minimum amount of places that are necessary. The purpose for this is that if you have your encryption key stored, while it might sound facetious, in 100 locations, that means you’re going to have to maintain strict control over 100 locations. The fewer possible places where these keys reside, the better off you are as an organization for protecting those keys. Specific to Requirement 3.5, we have a sub-requirement that says we store these keys in the fewest possible locations. From an assessment perspective, it’s not our job or role or charter to define whether or not it’s in the fewest possible locations or not. But, one of the things we’re going to ask you is, “If you have it in 5 places, why don’t you have it in 4?” Or, “If you have it in 3 places, why can’t you get away with 2?” At some point, you’re going to say, “Because this breaks my business process,” or, “This would render a high risk to our environment, such that we wouldn’t be able to protect ourselves in the event of a disaster.” Whatever reason that is, what we’re looking for is that you’ve done your due diligence on where you’re storing those keys, how those keys are being stored, and then indeed, that these keys are stored in the fewest possible locations. “