From 24 November to 9 January, eligible PCI SSC stakeholders are invited to review and provide feedback on the draft PCI Key Management Operations (KMO) v1.0 Standard during a 45-day request for comments (RFC) period.
The RFC will be available through the PCI SSC Portal, including instructions on how to access the documents and submit feedback. Eligible stakeholders will also receive instructions via email. As a reminder, participants are required to accept a Non-Disclosure Agreement (NDA) to download the document. Please review the RFC Process Guide for more information.
Please note that PCI SSC can only accept comments that are submitted via the PCI SSC Portal and received within the defined RFC period.
Background on the PCI Key Management Operations (KMO) v1.0 Standard
This is the second RFC for the PCI KMO standard. This updated version features changes made to accommodate feedback from the first RFC, including changes to the organization of the requirements, updates to the environmental security requirements, and general updates to the requirements and guidance themselves.
Example areas of the PCI KMO standard that PCI SSC is soliciting input on include:
- Are the current requirements clearly and correctly stated?
- Are the current requirements sufficiently verifiable?
- Are any requirements missing, given the focus of PCI KMO on PCI PIN and PCI P2PE Domain 5?
- Are any requirements overly onerous or incorrectly addressing extant risk?
The PCI Key Management Operations (KMO) v1.0 Standard defines security requirements, test requirements, and guidance for entities involved in the operation and management of systems that use cryptographic keys for the security of account data. The PCI KMO Standard is intended to address the generic key management requirements for a number of other PCI standards and/or programs. Therefore, the scope includes keys that are used to secure PINS, account data, and other sensitive assets (including other cryptographic keys used as storage, transport, or derivation keys).
