What is required to meet 3.6 through 3.6.10 if we utilize an off-the-shelf payment application? The straight facts are the server administrators have no clue how the vendor sets key management up. Do I just go with the application being PABP approved and call it a day or do we dig and document the vendors schema in our PCI procedures?

If the applicaiton stores PANs using encryption, and is PABP ceertified, the vendor must have supplied an Implementation Guide that explains how to install, configure and operate the app in a PCI compliant manner.

If this isn't in the Implementation Guide, then its not PABP compliant in my view.

The PABP Implementation Guide is meant to contain material to help you establish PCI-compliant procedures.

Talk to the vendor, and get their feedback, or material on complying on Section 3 key management.

lyalc

@brian, lyalc is correct. You do not need to dig into the key management if the payment application has undergone the PABP. What you may have to do is read the Implementation Guide (also called Implementation Documentation) for the steps you need to perform to implement the application in a PCI compliant manner.

Unfortunately, a lot of vendors do not see the PCI compliance world in the way MDahn, Lyalc and I see it.

They are under the mistaken belief that because their application is PABP compliant, their job is done and PCI DSS compliance for their customers is assured. Unfortunately, they leave PCI compliance information out of their user and implementation documentation and if you ask about it, it's like you're telling them that they lied. Their pat answer is that they are PABP compliant and that is all you need to know.

But what is worse is when they sell additional services to customers such as hosting, application management, OS patching, security and the like outside of just supplying their application. Then they really toss the PABP certification in your face and tell you to buzz off. Unfortunately, they missed the point that these additional services are not covered by their PABP and they need to be PCI DSS compliant.

The PCI SSC really needs to get out in front of this and get these vendors trained so that they understand the difference between PABP compliance and PCI DSS compliance and that PABP compliance does not necessarily end their responsibilities.

This underscores me desire for more education, especially in the small merchant community.
http://pcianswers.com/2008/02/26/the-falacy-of-security-vs-education/