Arvin2010
asked on
PCI DSS re-encryption requirement
I understand that PCI DSS requires encryption keys to be changed annually. Is it necessary to decrypt all of the old data and re-encrypt it with the new key, or is it sufficient just to discontinue the use of the old key for encryption. Only new keys would be used for encryption. Then, after all old data using the old key is retired/destroyed, the old key would be destroyed since it would no longer be required for decryption.
Sorry and...?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would re-encrypt the whole bunch of data for several reasons. The first one is that in the other way you have to keep safe several keys, one per year. The second is that may be you are not compliance with the PCI requirement, because you haven´t change the key for some part of your data, so if I were a QSA I would say you are not compliant with that.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.