Which option is NOT a valid form for storing crypto keys used to encrypt CHD?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the PCI DSS Requirements Test with our interactive quizzes. Use multiple choice questions, flashcards, and detailed explanations. Ace your exam with confidence!

Multiple Choice

Which option is NOT a valid form for storing crypto keys used to encrypt CHD?

Explanation:
Storing keys for CHD must be protected by strong, controlled storage, not left in plaintext or in an insecure location. Placing keys in plaintext on a local server is inherently insecure and not acceptable under PCI DSS, which requires that cryptographic keys be protected from unauthorized access. Using key components or key shares can be valid because it supports dual control and reduces the risk of a single point of failure. Putting keys inside a secure crypto device is also a valid and recommended approach, since hardware security modules (HSMs) provide tamper-resistant storage and strict access controls. The option described as encrypting a data key with a key-encrypting key (KEK) that is as strong as the data key and storing the KEK separately from the data key sounds sensible, but PCI DSS requires that any KEK used to wrap other keys be protected within a secure cryptographic device or equivalent robust key-management environment. If the KEK isn’t secured in such a device, this storage form does not meet the standard and isn’t guaranteed to be valid.

Storing keys for CHD must be protected by strong, controlled storage, not left in plaintext or in an insecure location. Placing keys in plaintext on a local server is inherently insecure and not acceptable under PCI DSS, which requires that cryptographic keys be protected from unauthorized access.

Using key components or key shares can be valid because it supports dual control and reduces the risk of a single point of failure. Putting keys inside a secure crypto device is also a valid and recommended approach, since hardware security modules (HSMs) provide tamper-resistant storage and strict access controls.

The option described as encrypting a data key with a key-encrypting key (KEK) that is as strong as the data key and storing the KEK separately from the data key sounds sensible, but PCI DSS requires that any KEK used to wrap other keys be protected within a secure cryptographic device or equivalent robust key-management environment. If the KEK isn’t secured in such a device, this storage form does not meet the standard and isn’t guaranteed to be valid.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy