keyZach recently asked the PCI DSS guru this question:

“PCI DSS Requirements 3.5 and 3.6  talk about securing data encryption keys and documenting the procedures on how you handle those keys. Now we as a company have decided to not store any cardholder data (CHD), with no exceptions. Since we do not store cardholder data at any level and use tokenization do we still need to comply with these 2 requirements as there is no CHD  to encrypt?”

First, Zach, let me commend you on the work that you’ve done to minimize the scope of your cardholder data environment.  I am strong believer in the idea of minimization.  It’s the easiest way to reduce the risk to your organization. If you don’t have data in the first place, you can’t lose it!

You’re also wise to be thinking about this issue.  Remember, the entirety of PCI applies to all merchants and, lacking specific guidance from the standard or clarifying documents, it’s up to you to interpret the standard and identify your obligations.  You can often do this by examining the testing procedures and guidance included in the full version of the standard.  The first requirement you mentioned, PCI DSS requirement 3.5, reads as follows:

“3.5 Document and implement procedures to protect keys used to secure stored cardholder data against disclosure and misuse.”

When you read this requirement, logic would dictate that if you don’t have any stored cardholder data, then you have nothing to secure and wouldn’t, therefore, need to document any procedures.  IMHO, the “get out of jail free” card that you’re seeking comes in the guidance for this requirement, which contains the following sentence:

“The requirement to protect keys from disclosure and misuse applies to both data-encrypting keys and key-encrypting keys.”

If you don’t have either of these in your environment, then my reading would be that the requirement does not apply and you’re off the hook.

You also asked about PCI DSS requirement 3.6, a similar requirement that mandates that you:

“Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data”

Again, we find some relief in the accompanying guidance, which reads in part:

“This requirement applies to keys used to encrypt stored cardholder data, and any respective key-encrypting keys.”

So, it looks like you’re off the hook on this one!  The fact that you’re using tokenization and eliminating the storage of cardholder data in your environment seems to obviate the need for maintaining key management practices.  Congratulations!