I've been assigned the task of designing a new key management system for our company in order to meet PCI compliance. We must be PCI compliant for credit card data as a requirement set by the credit card companies, and other personal data as a requirement set by credit data repositories. I have come up with a preliminary strategy for the key management system but am not sure whether it will fully comply. Is there anyone with expertise that would be interested in reviewing my strategy and/or design details to confirm compliance or point out shortcomings?

I'm sure any QSA would be willing to assist you in evaluating your plans. However, I am also sure that they will want some form of renumeration for providing such services.

The PCI requirement for key management is (IMHO) over the top. In addition to the usual encryption of cardholder data, the requirement for key management goes well beyond any reasonable security requirement with 3.6.6 'Split knowledge and dual control.....". Imagine if a key gets corrupted and the merchants entire production system grinds to a halt because one of the parties who holds a piece of the key is absent or inaccessible for some reason...The whole key requirement section 3.6.1 thru 3.6.10 needs a reality check!!!! The only simple way out of this pickle is to acquire an encryption appliance like Vormetric or Ingrian's DataSecure and leave all of the key management to the appliance.

Key management appliances do not remove the need for dual control or split knowledge. I take it you haven't read the manuals or installed these in a PCI compliant environment so that no single person can alter, export or delete keys (implicit Dual Control requirements).

The keys still need to loaded into the appliance, and backed up into the control of at least 2 people.
Most process solutions I've seen have 2 'teams', with 'Team A' having 2 or more members and physical access to half of the master key.
'Team B' has 2 or more different members, with physical access to the other half of the key.

This sort of model model minimises the single person dependency concerns which otherwise does exist.
Add in some audit trails over the physical and logical access to the key components and the key management system, and you're pretty much done from a minimalist perspective.

lyalc