PCI DSS re-encryption requirement

I understand that PCI DSS requires encryption keys to be changed annually. Is it necessary to decrypt all of the old data and re-encrypt it with the new key, or is it sufficient just to discontinue the use of the old key for encryption. Only new keys would be used for encryption. Then, after all old data using the old key is retired/destroyed, the old key would be destroyed since it would no longer be required for decryption.
Arvin2010Asked:
Who is Participating?
 
andypwhiteConnect With a Mentor Commented:
I work within the retail industry dealing with credit card transactions, so have a good grounding on how PCI-DSS works.

It is NOT necessary to re-encrypt data using a new key.  The new key should be used for ongoing encryption, with the old key(s) used to decrypt historic data only.

However, if for some reason you need to keep hold of historic data then it may be necessary to re-encrypt.  

You should really look at the required retention period of your data - do you actually need to keep data for a long period of time?  Just because the main encryption key has expired, does not mean that you need to re-encrypt files that aren't particularly old.  If you said to me that you have files which are over a year old then I'd say re-encrypt - but WHY do you keep files that long in a PCI-DSS environment?  Even the banks don't hold settlement information for that long!

0
 
gorhonCommented:
Sorry and...?
0
 
sarangk_14Connect With a Mentor Commented:
Hi,

You need to understand the following:
1. Each Public-Private Key pair is unique. You cannot use e.g. a key from Pair B to decrypt information encrypted using a key from Pair A, even if both the leys have been created using the exact same user information.
2. You have to maintain the older key pairs till the time you are required to store the information (you may have to restore it in that period). Once the information becomes irrelavent and can be destroyed, the associated key pair can also be destroyed.
3. From my understanding of the standard, the changed key pair is to be used only for the information processed subsequent to creating the key pair and till the time a new key pair is generated (i.e. during the lifecycle of the key pair). You are not required to decrypt the old data with the old keys and encrypt it again using the new key pair.

Other expert's views welcome.

Hope this helps.

Warm regards,
Sarang
0
 
mahe2000Commented:
I would re-encrypt the whole bunch of data for several reasons. The first one is that in the other way you have to keep safe several keys, one per year. The second is that may be you are not compliance with the PCI requirement, because you haven´t change the key for some part of your data, so if I were a QSA I would say you are not compliant with that.
0
 
TolomirAdministratorCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.