Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

PCI DSS re-encryption requirement

Posted on 2010-09-17
6
Medium Priority
?
735 Views
Last Modified: 2013-11-18
I understand that PCI DSS requires encryption keys to be changed annually. Is it necessary to decrypt all of the old data and re-encrypt it with the new key, or is it sufficient just to discontinue the use of the old key for encryption. Only new keys would be used for encryption. Then, after all old data using the old key is retired/destroyed, the old key would be destroyed since it would no longer be required for decryption.
0
Comment
Question by:Arvin2010
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 3

Expert Comment

by:gorhon
ID: 33707271
Sorry and...?
0
 
LVL 12

Assisted Solution

by:sarangk_14
sarangk_14 earned 1000 total points
ID: 33732671
Hi,

You need to understand the following:
1. Each Public-Private Key pair is unique. You cannot use e.g. a key from Pair B to decrypt information encrypted using a key from Pair A, even if both the leys have been created using the exact same user information.
2. You have to maintain the older key pairs till the time you are required to store the information (you may have to restore it in that period). Once the information becomes irrelavent and can be destroyed, the associated key pair can also be destroyed.
3. From my understanding of the standard, the changed key pair is to be used only for the information processed subsequent to creating the key pair and till the time a new key pair is generated (i.e. during the lifecycle of the key pair). You are not required to decrypt the old data with the old keys and encrypt it again using the new key pair.

Other expert's views welcome.

Hope this helps.

Warm regards,
Sarang
0
 
LVL 3

Expert Comment

by:mahe2000
ID: 33905369
I would re-encrypt the whole bunch of data for several reasons. The first one is that in the other way you have to keep safe several keys, one per year. The second is that may be you are not compliance with the PCI requirement, because you haven´t change the key for some part of your data, so if I were a QSA I would say you are not compliant with that.
0
 
LVL 1

Accepted Solution

by:
andypwhite earned 1000 total points
ID: 33955609
I work within the retail industry dealing with credit card transactions, so have a good grounding on how PCI-DSS works.

It is NOT necessary to re-encrypt data using a new key.  The new key should be used for ongoing encryption, with the old key(s) used to decrypt historic data only.

However, if for some reason you need to keep hold of historic data then it may be necessary to re-encrypt.  

You should really look at the required retention period of your data - do you actually need to keep data for a long period of time?  Just because the main encryption key has expired, does not mean that you need to re-encrypt files that aren't particularly old.  If you said to me that you have files which are over a year old then I'd say re-encrypt - but WHY do you keep files that long in a PCI-DSS environment?  Even the banks don't hold settlement information for that long!

0
 
LVL 27

Expert Comment

by:Tolomir
ID: 34391774
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How important is it to take extra precautions to protect your online business? These are some steps you can take to make sure you're free of any cyber crime.
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question