Which statement about keys for stored cardholder data is true?

• A. Document and implement procedures to protect keys used to secure stored CHD, including key-encrypting keys at least as strong as data-encryption keys.
• B. Keys do not require documentation.
• C. Only data-encryption keys require protection; key-encrypting keys do not.
• D. Keys can be shared among multiple organizations with no restrictions.

Answer: (A)

Key management for stored cardholder data requires formal, documented procedures and strong protection for all keys, including the key-encrypting keys (KEKs). This matters because the KEK protects the data-encryption keys (DEKs) that actually secure the CHD. If the KEK is weaker than the DEKs it protects, compromising the KEK could expose many DEKs and the data they safeguard. So, having documented, implemented procedures ensures consistent control over key generation, storage, access, rotation, and revocation, and it enforces the practice that KEKs are at least as strong as DEKs.

The other statements fall short of these requirements. Keys must be documented and controlled, KEKs require protection and strength comparable to DEKs, and sharing keys across organizations is not permitted due to security and segregation concerns.