| ๐ผ a. use of physically and logically protected devices and environments to store and generate cryptographic keys, generate PINs and perform encryption and decryption. In most cases this would involve the use of Hardware Security Modules10 (HSMs) or similarly secured devices; | | | | |
| ๐ผ b. use of cryptographic techniques to maintain cryptographic key confidentiality; | | | | |
| ๐ผ c. segregation of duties, with no single individual having knowledge of the entire cryptographic key (i.e. two-person controls) or having access to all the components making up these keys; | | | | |
| ๐ผ d. predefined activation and deactivation dates for cryptographic keys, limiting the period of time they remain valid for use. The period of time a cryptographic key remains valid would be commensurate with the risk; | | 3 | 4 | |
| ๐ผ e. clearly defined cryptographic key revocation processes; | | | | |
| ๐ผ f. the deployment of detection techniques to identify any instances of cryptographic key substitution. | | | | |