Which statement is true regarding crypto architecture documentation for CHD protection?

• A. Details of algorithms, protocols & keys used, including key strength & expiry date
• B. The password policy for all users
• C. Hardware inventory across the company
• D. The business continuity plan

Answer: (A)

For protecting cardholder data, the documentation should clearly describe the cryptographic controls in use: the exact algorithms, the protocols governing their use, and the keys themselves, including key strength and how long keys remain valid before expiry or rotation. This level of detail ensures that the cryptographic design is auditable, repeatable, and aligned with policy requirements for key management, rotation schedules, and access controls. The other topics—password policies for users, hardware inventory, and a business continuity plan—address different aspects of security or operations and do not provide the essential cryptographic architecture details needed to protect CHD.