2.7 Securely delete any cryptographic key material or cryptogram stored by previous versions of the payment application, in accordance with industry-accepted standards for secure deletion, as defined, for example the list of approved products maintained by the National Security Agency, or by other State or National standards or regulations. These are cryptographic keys used to encrypt or verify cardholder data.
PCI Data Security Standard Requirement 3.6
Note: this requirement only applies if previous versions of the payment application used cryptographic key materials or cryptograms to encrypt cardholder data.
Testing Procedures:
2.7.a Review the PA-DSS Implementation Guide prepared by the vendor and verify the documentation includes the following instructions for customers and resellers/integrators:
[ul]
[li]That cryptographic material must be removed[/li][li]How to remove cryptographic material[/li][li]That such removal is absolutely necessary for PCI DSS compliance[/li][li]How to re-encrypt historic data with new keys.[/li][/ul]
2.7.b Verify vendor provides a secure wipe tool or procedure to remove cryptographic material.
2.7.c Verify, through use of forensic tools and/or methods, that the secure wipe tool or procedure securely removes the cryptographic material, in accordance with industry-accepted standards for secure deletion of data.