Double-length TDES keys used in unique key per transaction implementations are considered to provide an equivalent level of strong cryptography. Which statement is correct?

The key idea is that strong cryptography in PCI DSS can be achieved not only by AES, but also by 3DES with a per-transaction key strategy like DUKPT. When double-length 3DES keys are used in a Derived Unique Key Per Transaction setup, each transaction gets a fresh, derived key. This minimizes the impact of any single key being exposed and provides robust protection for cardholder data, even if individual keys are compromised later. PCI guidance recognizes this arrangement as providing an equivalent level of strong cryptography to AES-level protections, as long as the keys are managed correctly and the master key remains secure. So, this statement is correct because the combination of a strong algorithm (2-key 3DES) with a disciplined per-transaction key derivation approach delivers the necessary cryptographic strength for PCI purposes. The other options either dismiss the accepted strength of this setup or imply it’s obsolete or insufficient, which isn’t aligned with how PCI views properly implemented DUKPT with double-length TDES.