What does 3.6.6 require if manual clear-text key-management operations are used?

• A. Manual operations are prohibited.
• B. Split knowledge and dual control must be used for manual operations.
• C. Manual operations can be performed without controls.
• D. There is no requirement for manual operations.

Answer: (B)

Handling cryptographic keys in cleartext through manual operations introduces significant risk. When such manual operations are necessary, PCI DSS requires that no single person can perform the operation alone. This is achieved by split knowledge—the information needed to perform the operation is divided among multiple people so no one has full access—and dual control—at least two authorized individuals must be involved to complete the operation and verify results. These measures provide accountability and reduce the chance of key misuse or leakage. If manual clear-text handling is avoided entirely (e.g., using secure modules or automated processes), this specific requirement wouldn’t apply, but with any manual clear-text operations, split knowledge and dual control are essential.