Which statement best describes the intent of Requirement 3.6 (key-management processes)?

• A. Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data.
• B. Develop comprehensive training on key management.
• C. Outline the roles and responsibilities for key management.
• D. Hold off on formal documentation until after deployment.

Answer: (C)

The main idea being tested is establishing who is responsible for managing cryptographic keys. Requirement 3.6 is about setting up governance for key management by outlining the roles and responsibilities of the people or teams that handle keys. Clear roles ensure accountability and proper separation of duties, so that key generation, distribution, storage, rotation, revocation, and retirement are performed by designated individuals and can be audited. This governance foundation is what makes key management reliable and secure, because it prevents unclear ownership and makes it possible to track who did what with the keys. While documenting and implementing processes, providing training, or timing documentation with deployment are helpful, the essential purpose of this requirement is to define who is responsible for key-management tasks and how they are to be carried out.