Solved

PCI DSS re-encryption requirement

Posted on 2010-09-17
6
728 Views
Last Modified: 2013-11-18
I understand that PCI DSS requires encryption keys to be changed annually. Is it necessary to decrypt all of the old data and re-encrypt it with the new key, or is it sufficient just to discontinue the use of the old key for encryption. Only new keys would be used for encryption. Then, after all old data using the old key is retired/destroyed, the old key would be destroyed since it would no longer be required for decryption.
0
Comment
Question by:Arvin2010
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 3

Expert Comment

by:gorhon
ID: 33707271
Sorry and...?
0
 
LVL 12

Assisted Solution

by:sarangk_14
sarangk_14 earned 250 total points
ID: 33732671
Hi,

You need to understand the following:
1. Each Public-Private Key pair is unique. You cannot use e.g. a key from Pair B to decrypt information encrypted using a key from Pair A, even if both the leys have been created using the exact same user information.
2. You have to maintain the older key pairs till the time you are required to store the information (you may have to restore it in that period). Once the information becomes irrelavent and can be destroyed, the associated key pair can also be destroyed.
3. From my understanding of the standard, the changed key pair is to be used only for the information processed subsequent to creating the key pair and till the time a new key pair is generated (i.e. during the lifecycle of the key pair). You are not required to decrypt the old data with the old keys and encrypt it again using the new key pair.

Other expert's views welcome.

Hope this helps.

Warm regards,
Sarang
0
 
LVL 3

Expert Comment

by:mahe2000
ID: 33905369
I would re-encrypt the whole bunch of data for several reasons. The first one is that in the other way you have to keep safe several keys, one per year. The second is that may be you are not compliance with the PCI requirement, because you haven´t change the key for some part of your data, so if I were a QSA I would say you are not compliant with that.
0
 
LVL 1

Accepted Solution

by:
andypwhite earned 250 total points
ID: 33955609
I work within the retail industry dealing with credit card transactions, so have a good grounding on how PCI-DSS works.

It is NOT necessary to re-encrypt data using a new key.  The new key should be used for ongoing encryption, with the old key(s) used to decrypt historic data only.

However, if for some reason you need to keep hold of historic data then it may be necessary to re-encrypt.  

You should really look at the required retention period of your data - do you actually need to keep data for a long period of time?  Just because the main encryption key has expired, does not mean that you need to re-encrypt files that aren't particularly old.  If you said to me that you have files which are over a year old then I'd say re-encrypt - but WHY do you keep files that long in a PCI-DSS environment?  Even the banks don't hold settlement information for that long!

0
 
LVL 27

Expert Comment

by:Tolomir
ID: 34391774
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Every business owner understands the significance of online customer reviews and the impact it can have on sales and revenues. With technology advancing at such a rapid pace, getting online reviews has never been easier, especially when many regions…
Learn about the eCommerce marketing trends for the year ahead.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question