Which statement is true regarding crypto architecture documentation for CHD protection?

For protecting cardholder data, the documentation should clearly describe the cryptographic controls in use: the exact algorithms, the protocols governing their use, and the keys themselves, including key strength and how long keys remain valid before expiry or rotation. This level of detail ensures that the cryptographic design is auditable, repeatable, and aligned with policy requirements for key management, rotation schedules, and access controls. The other topics—password policies for users, hardware inventory, and a business continuity plan—address different aspects of security or operations and do not provide the essential cryptographic architecture details needed to protect CHD.