[PCI-DSS] 3.6 Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data, including the following:
3.6.a Verify the existence of key-management procedures for keys used for encryption of cardholder data. [I]
Note: Numerous industry standards for key management are available from various resources including NIST, which can be found at http://csrc.nist.gov .[/I]
3.6.b For service providers only: If the service provider shares keys with their customers for transmission of cardholder data, verify that the service provider provides documentation to customers that includes guidance on how to securely store and change customer’s keys (used to transmit data between customer and service provider).
3.6.c Examine the key-management procedures and perform the following: