|
|
|||||||
| [PCI-DSS] Requirement 3: Protect stored cardholder data Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full PAN is not needed, and not sending PAN in unencrypted e-mails. |
 |
|
|
Thread Tools | Search this Thread | Display Modes |
|
#1
03-18-2007, 02:56 AM
|
||||
|
||||
[PCI-DSS] 3.6.4 Periodic cryptographic key changes
3.6.4 Periodic cryptographic key changes
|
|
#2
04-22-2009, 09:59 AM
|
|||
|
|||
|
I understand that PCI DSS requires encryption keys to be changed annually. Is it necessary to decrypt all of the old data and re-encrypt it with the new key, or is it sufficient just to discontinue the use of the old key for encryption. Only new keys would be used for encryption. Then, after all old data using the old key is retired/destroyed, the old key would be destroyed since it would no longer be required for decryption.
It seems to me that the purpose of the rekeying requirement is to prevent the use of a key for very long periods of time, which if compromised would provide an attacker access to historical, current, and future data. With the method I described, a very successful attacker may have access to portions of the data, but not all, or even most of it. Thanks, Randy
|
|
| Bookmarks |
| Tags |
| cryptographic key changes, re-key, rekey |
| Thread Tools | Search this Thread |
| Display Modes | |
|
|
Linear Mode
