?
Solved

PCI DSS re-encryption requirement

Posted on 2010-09-17
6
Medium Priority
?
730 Views
Last Modified: 2013-11-18
I understand that PCI DSS requires encryption keys to be changed annually. Is it necessary to decrypt all of the old data and re-encrypt it with the new key, or is it sufficient just to discontinue the use of the old key for encryption. Only new keys would be used for encryption. Then, after all old data using the old key is retired/destroyed, the old key would be destroyed since it would no longer be required for decryption.
0
Comment
Question by:Arvin2010
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 3

Expert Comment

by:gorhon
ID: 33707271
Sorry and...?
0
 
LVL 12

Assisted Solution

by:sarangk_14
sarangk_14 earned 1000 total points
ID: 33732671
Hi,

You need to understand the following:
1. Each Public-Private Key pair is unique. You cannot use e.g. a key from Pair B to decrypt information encrypted using a key from Pair A, even if both the leys have been created using the exact same user information.
2. You have to maintain the older key pairs till the time you are required to store the information (you may have to restore it in that period). Once the information becomes irrelavent and can be destroyed, the associated key pair can also be destroyed.
3. From my understanding of the standard, the changed key pair is to be used only for the information processed subsequent to creating the key pair and till the time a new key pair is generated (i.e. during the lifecycle of the key pair). You are not required to decrypt the old data with the old keys and encrypt it again using the new key pair.

Other expert's views welcome.

Hope this helps.

Warm regards,
Sarang
0
 
LVL 3

Expert Comment

by:mahe2000
ID: 33905369
I would re-encrypt the whole bunch of data for several reasons. The first one is that in the other way you have to keep safe several keys, one per year. The second is that may be you are not compliance with the PCI requirement, because you haven´t change the key for some part of your data, so if I were a QSA I would say you are not compliant with that.
0
 
LVL 1

Accepted Solution

by:
andypwhite earned 1000 total points
ID: 33955609
I work within the retail industry dealing with credit card transactions, so have a good grounding on how PCI-DSS works.

It is NOT necessary to re-encrypt data using a new key.  The new key should be used for ongoing encryption, with the old key(s) used to decrypt historic data only.

However, if for some reason you need to keep hold of historic data then it may be necessary to re-encrypt.  

You should really look at the required retention period of your data - do you actually need to keep data for a long period of time?  Just because the main encryption key has expired, does not mean that you need to re-encrypt files that aren't particularly old.  If you said to me that you have files which are over a year old then I'd say re-encrypt - but WHY do you keep files that long in a PCI-DSS environment?  Even the banks don't hold settlement information for that long!

0
 
LVL 27

Expert Comment

by:Tolomir
ID: 34391774
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
Businesses who process credit card payments have to adhere to PCI Compliance standards. Here’s why that’s important.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question