PCI DSS 3.7.9: Providing Secure Key-Sharing Guidance to Customers
As a PCI DSS service provider, you're responsible for more than protecting your own cryptographic keys—you must actively guide customers on securing theirs. Control 3.7.9 requires documented, distributed guidance on secure key transmission, storage, and updates. This control bridges the gap between your security posture and your customers' ability to implement it.
What this means
PCI DSS 3.7.9 mandates that service providers create and distribute clear documentation addressing how customers should securely handle cryptographic keys shared with or managed through your services. This includes guidance on transmission methods (e.g., encrypted channels, out-of-band delivery), storage best practices (e.g., hardware security modules, encrypted vaults), and procedures for updating or rotating keys. The guidance must be formally documented and actively distributed to all relevant customers—not buried in fine print.
How to comply
- 1.Develop comprehensive key-sharing documentation covering transmission, storage, and lifecycle management
- 2.Specify secure transmission methods (e.g., TLS, out-of-band delivery mechanisms) for keys shared with customers
- 3.Document secure storage requirements aligned with customer environments (on-premises, cloud, hybrid)
- 4.Define key rotation and update procedures with clear timelines and responsibilities
- 5.Include industry standards references (NIST, SANS) to reinforce guidance credibility
- 6.Distribute documentation to all customers at onboarding and annually via formal channels
- 7.Track distribution and maintain records of customer acknowledgment
- 8.Review and update guidance at least annually or when service changes occur
Evidence auditors look for
- Cryptographic Key-Sharing Security Guidelines document with dated version history
- Customer onboarding checklist that references key-sharing guidance delivery
- Email distribution records showing all customers received the documentation
- Customer acknowledgment forms or portal evidence confirming receipt
- Key transmission procedures specifying encrypted channels and out-of-band options
- Storage guidance for HSM integration, key vaults, and encrypted database storage
- Key rotation schedules with clear frequency and update procedures
- Annual review logs documenting updates to guidance and re-distribution
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates the creation, version control, and distribution tracking of key-sharing guidance documents, generating audit-ready evidence of customer acknowledgment and maintaining compliance records without manual spreadsheet management.
See how GRCWatch handles this control automatically
Start free trial