GRCWatch
Sign inStart free trial

PCI DSS 3.6.1.1: Documenting Your Cryptographic Architecture

PCI DSS 3.6.1.1 requires service providers to maintain detailed documentation of their cryptographic architecture. This control ensures your encryption strategy is transparent, auditable, and properly implemented across all systems handling cardholder data.

What this means

This additional requirement for service providers mandates that you create and maintain comprehensive documentation describing your entire cryptographic architecture. This includes all algorithms, key management processes, encryption standards, protocols, and the systems where cryptography is deployed. The documentation must be clear enough for auditors and internal teams to understand how encryption protects cardholder data throughout your environment.

How to comply

  1. 1.Create a comprehensive cryptographic architecture document that maps all encryption implementations across your infrastructure
  2. 2.Document all cryptographic algorithms, protocols, and standards in use (e.g., AES, TLS, RSA) with version numbers
  3. 3.Detail your key management lifecycle including generation, storage, rotation, and destruction procedures
  4. 4.Identify all systems and data flows where cryptography is applied, particularly those handling cardholder data
  5. 5.Include diagrams or flowcharts showing how encrypted data moves through your network and systems
  6. 6.Document the purpose and security justification for each cryptographic implementation
  7. 7.Establish a review and update schedule (at minimum annually) to keep documentation current with system changes
  8. 8.Make documentation easily accessible to internal teams, auditors, and assessors during compliance reviews

Evidence auditors look for

  • Cryptographic architecture documentation with detailed system diagrams and data flow illustrations
  • Algorithm inventory listing all cryptographic methods deployed with implementation dates and versions
  • Key management policy documentation describing generation, storage, access, rotation, and retirement procedures
  • Network diagrams showing encryption points and encrypted data channels throughout the environment
  • System configuration documentation proving cryptographic implementations match documented architecture
  • Audit logs and validation reports confirming cryptographic controls function as documented
  • Change management records showing updates to cryptographic architecture documentation over time
  • Audit or assessment reports from qualified security assessors validating documentation completeness

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically catalogs your cryptographic systems and generates audit-ready architecture documentation, eliminating manual mapping and keeping your compliance record current as your infrastructure evolves.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 3.5.1 - Cryptography policy and proceduresPCI DSS 3.6 - Encryption of cardholder dataPCI DSS 3.6.2 - Key management procedures