What is a key principle for storing crypto keys to minimize locations?

The key idea is to reduce exposure by keeping crypto keys in as few secure locations as possible. Fewer storage locations mean a smaller attack surface, easier enforcement of access controls, and simpler key rotation and revocation. In practice, keys are kept in a dedicated key management system or hardware security module (HSM) with strict access controls, encryption at rest, and regular rotation. Storing keys in plaintext on servers is unsafe because compromise of the server can reveal the keys. Storing them in many locations or publicly in a cloud bucket only increases risk and complicates protection, which PCI DSS aims to minimize. So, limit storage to the minimum number of trusted, secured locations and manage them through centralized, secure key management.