GRCWatch
Sign inStart free trial

PCI DSS 3.7.8: Obtain Key Custodian Formal Acknowledgment

Cryptographic key custodians must formally document their understanding of their security responsibilities. This control ensures accountability and reduces the risk of unauthorized key access or mishandling. GRCWatch simplifies custodian acknowledgment tracking for growing businesses managing multiple compliance frameworks.

What this means

Control 3.7.8 requires that individuals designated as cryptographic key custodians sign a formal acknowledgment confirming they understand their duties. This documentation creates a record of accountability, demonstrating that custodians have been informed of their critical role in protecting encryption keys. The acknowledgment should outline key handling procedures, security obligations, and consequences of non-compliance. This control applies to all personnel with access to cryptographic keys, whether hardware-based or software-based.

How to comply

  1. 1.Identify all individuals with access to cryptographic keys in your organization
  2. 2.Develop a formal custodian responsibility document outlining key handling procedures and security requirements
  3. 3.Require each custodian to sign and date the acknowledgment form
  4. 4.Maintain signed acknowledgments in a centralized, secure location with audit trail capabilities
  5. 5.Require re-acknowledgment annually or when responsibilities change
  6. 6.Document the acknowledgment process in your key management policy
  7. 7.Train custodians before requiring their signature

Evidence auditors look for

  • Signed custodian acknowledgment forms with dates and employee signatures
  • Key custodian responsibility matrix documenting who handles which keys
  • Annual re-certification or renewal of custodian acknowledgments
  • Training records showing custodian completion of key handling procedures
  • Key management policy explicitly referencing custodian acknowledgment requirements
  • Audit logs showing acknowledgment document creation and signature dates

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates custodian acknowledgment workflows with digital signature collection, automatic re-certification reminders, and centralized audit trails—eliminating manual spreadsheet tracking and ensuring zero missed acknowledgments across your PCI DSS environment.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 3.5 — Restrict access to cryptographic keysPCI DSS 3.6 — Secure cryptographic key storagePCI DSS 8.1 — Implement user authentication