PCI (Payment Card Industry Security Standard)_Req 3.6.5

PCI (Payment Card Industry Security Standard)

Protect stored cardholder data

Req 3.6.5

3.6.5 Retirement or replacement (for example archiving destruction and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened (for example departure of an employee with knowledge of a clear-text key component) or keys are suspected of being compromised. Note: if retired or replaced cryptographic keys need to be retained these keys must be securely archived (for example by using a key-encryption key). Archived cryptographic keys should only be used for decryption/verification purposes.

Keys that are no longer used or needed or keys that are known or suspected to be compromised should be revoked and/or destroyed to ensure that the keys can no longer be used. If such keys need to be kept (for example to support archived encrypted data) they should be strongly protected. The encryption solution should provide for and facilitate a process to replace keys that are due for replacement or that are known to be or suspected of being compromised.


Click here to Start your FREE trial today!

Explainer video


What is a Cybersecurity Compliance Framework?

You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and in-demand top security and privacy frameworks and certifications.

With the Lionfish platform, every framework is supported with guided scoping, policies, controls, automated evidence collection, and continuous monitoring, ensuring efficient preparation for audits or attestation in minimal time.

The Lionfish platform is compatible with a wide range of security and privacy frameworks, including:

Click here to Start your FREE trial today!

Explainer video