Installation prerequisites

Define and implement certain operational processes and periods before you install and configure IBM® Safer Payments.

Define and implement operational processes

To achieve PCI DSS compliance, it is not enough to configure IBM Safer Payments as described here. You must also implement a set of operational processes within your organization for PCI DSS-compliant operation.
Important: Read the PCI DSS documentation and implement the operational processes that are described there.

Security Standards Council Document Library

Define a cryptoperiod

The cryptoperiod defines the lifetime of an encryption key. At the end of each cryptoperiod, keys must be replaced.

PCI DSS itself does not postulate a specific cryptoperiod. However, it is necessary that you as an organization define your own cryptoperiod. See Enforcing regular key changes for details.

Define a retention period

Outdated cardholder data must be securely deleted. PCI DSS itself does not postulate when cardholder data becomes outdated. However, according to PCI DSS Requirement 3.2.1 it is necessary that you as an organization define a retention period.

You can define different retention periods for different kind of data elements:

  • A retention period for transaction data, according to your business requirements.
  • A longer retention period for all other data, such as cases, or event logs.

Basically, you can also define the same retention period for both types of data. Retention requirements for cases or audit trails are typically longer than five years. However, rarely is there a business need to retain transaction data for such extended periods, and memory consumption would be high given the typical transaction volumes.