Solved

PCI DSS re-encryption requirement

Posted on 2010-09-17
6
721 Views
Last Modified: 2013-11-18
I understand that PCI DSS requires encryption keys to be changed annually. Is it necessary to decrypt all of the old data and re-encrypt it with the new key, or is it sufficient just to discontinue the use of the old key for encryption. Only new keys would be used for encryption. Then, after all old data using the old key is retired/destroyed, the old key would be destroyed since it would no longer be required for decryption.
0
Comment
Question by:Arvin2010
6 Comments
 
LVL 3

Expert Comment

by:gorhon
ID: 33707271
Sorry and...?
0
 
LVL 12

Assisted Solution

by:sarangk_14
sarangk_14 earned 250 total points
ID: 33732671
Hi,

You need to understand the following:
1. Each Public-Private Key pair is unique. You cannot use e.g. a key from Pair B to decrypt information encrypted using a key from Pair A, even if both the leys have been created using the exact same user information.
2. You have to maintain the older key pairs till the time you are required to store the information (you may have to restore it in that period). Once the information becomes irrelavent and can be destroyed, the associated key pair can also be destroyed.
3. From my understanding of the standard, the changed key pair is to be used only for the information processed subsequent to creating the key pair and till the time a new key pair is generated (i.e. during the lifecycle of the key pair). You are not required to decrypt the old data with the old keys and encrypt it again using the new key pair.

Other expert's views welcome.

Hope this helps.

Warm regards,
Sarang
0
 
LVL 3

Expert Comment

by:mahe2000
ID: 33905369
I would re-encrypt the whole bunch of data for several reasons. The first one is that in the other way you have to keep safe several keys, one per year. The second is that may be you are not compliance with the PCI requirement, because you haven´t change the key for some part of your data, so if I were a QSA I would say you are not compliant with that.
0
 
LVL 1

Accepted Solution

by:
andypwhite earned 250 total points
ID: 33955609
I work within the retail industry dealing with credit card transactions, so have a good grounding on how PCI-DSS works.

It is NOT necessary to re-encrypt data using a new key.  The new key should be used for ongoing encryption, with the old key(s) used to decrypt historic data only.

However, if for some reason you need to keep hold of historic data then it may be necessary to re-encrypt.  

You should really look at the required retention period of your data - do you actually need to keep data for a long period of time?  Just because the main encryption key has expired, does not mean that you need to re-encrypt files that aren't particularly old.  If you said to me that you have files which are over a year old then I'd say re-encrypt - but WHY do you keep files that long in a PCI-DSS environment?  Even the banks don't hold settlement information for that long!

0
 
LVL 27

Expert Comment

by:Tolomir
ID: 34391774
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question