Installation prerequisites
Define and implement certain operational processes and periods before you install and configure IBM® Safer Payments.
Define and implement operational processes
Define a cryptoperiod
The cryptoperiod defines the lifetime of an encryption key. At the end of each cryptoperiod, keys must be replaced.
PCI DSS itself does not postulate a specific cryptoperiod. However, it is necessary that you as an organization define your own cryptoperiod. See Enforcing regular key changes for details.
Define a retention period
Outdated cardholder data must be securely deleted. PCI DSS itself does not postulate when cardholder data becomes outdated. However, according to PCI DSS Requirement 3.2.1 it is necessary that you as an organization define a retention period.
You can define different retention periods for different kind of data elements:
- A retention period for transaction data, according to your business requirements.
- A longer retention period for all other data, such as cases, or event logs.
Basically, you can also define the same retention period for both types of data. Retention requirements for cases or audit trails are typically longer than five years. However, rarely is there a business need to retain transaction data for such extended periods, and memory consumption would be high given the typical transaction volumes.