Request for Comments: PCI Key Management Operations (KMO) v1.0 Standard

From 16 June to 18 July, eligible PCI SSC stakeholders are invited to review and provide feedback on the draft PCI Key Management Operations (KMO) v1.0 Standard during a 30-day request for comments (RFC) period.    

The RFC will be available through the PCI SSC Portal, including instructions on how to access the documents and submit feedback. Eligible stakeholders will also receive instructions via email. As a reminder, participants are required to accept a Non-Disclosure Agreement (NDA) to download the document. Please review the RFC Process Guide for more information.  

Please note that PCI SSC can only accept comments that are submitted via the PCI SSC Portal and received within the defined RFC period.   

Background on the PCI Key Management Operations (KMO) v1.0 Standard

The PCI Key Management Operations (KMO) v1.0 Standard defines security requirements, test requirements, and guidance for entities involved in the operation and management of systems that use cryptographic keys for the security of account data.  

The PCI KMO Standard is intended to address the generic key management requirements for a number of other PCI standards and/or programs. Therefore, the scope includes keys that are used to secure PINS, account data, and other sensitive assets (including other cryptographic keys used as storage, transport, or derivation keys).  

The initial focus of PCI KMO is to address the key management requirements covered by the PCI PIN and PCI P2PE standards. Future revisions of PCI KMO may address additional specific needs of other data types, such as those covered by the PCI Card Production standards.

PCI KMO requirements cover the entire lifecycle of a cryptographic key, from generation through to destruction, as well as the security of procedures, systems, and equipment used to manage and operate those keys during their lifecycle.