GRCWatch
Sign inStart free trial

PCI DSS 3.6.1.3: Split Knowledge and Dual Control Requirements

Manual cryptographic key management demands the highest security controls. PCI DSS 3.6.1.3 requires split knowledge and dual control to prevent unauthorized key exposure in cleartext environments. This control ensures no single individual can access or compromise your organization's encryption keys.

What this means

Split knowledge means dividing cryptographic key material so that no single person possesses the complete key. Dual control requires that at least two authorized individuals must participate in any key-management procedure involving cleartext keys. Together, these controls prevent insider threats and unauthorized key disclosure during manual key operations.

How to comply

  1. 1.Divide all cryptographic keys into at least two components, with each component held by a different authorized person
  2. 2.Document which individuals hold each key component and maintain a current access roster
  3. 3.Require both key custodians to be present and verify identity before any cleartext key operation
  4. 4.Log all key-management activities including who accessed the key, when, and for what purpose
  5. 5.Establish a key ceremony procedure that mandates dual presence for any key generation, installation, or rotation
  6. 6.Train all key custodians on split knowledge procedures and dual control requirements
  7. 7.Audit key-management activities quarterly to ensure compliance with dual control policies

Evidence auditors look for

  • Key custody agreements signed by at least two authorized personnel
  • Access logs showing dual authorization for all cleartext key operations
  • Key ceremony documentation with attendance records from both custodians
  • Training records confirming key personnel understand split knowledge requirements
  • Quarterly audit reports validating dual control was maintained throughout the period
  • Physical security logs if keys are stored in separate locations or containers

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates split knowledge audit trails and dual-control verification workflows, eliminating manual log review and automatically flagging any key operations that occur without required custodian authorization.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 3.6.1.1 — Restrict Cryptographic Key AccessPCI DSS 3.6.1.2 — Limit Cryptographic Key Usage to Specified PurposesPCI DSS 3.6.2 — Automated Key Management LifecyclePCI DSS 8.2.1 — User Identity and Authentication