Regarding 3.6.5, what is required when keys are retired or replaced and possibly retained?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the PCI Data Security Standard Test with our quiz. Use flashcards and multiple-choice questions to learn each concept. Get ready to excel in your examination!

Multiple Choice

Regarding 3.6.5, what is required when keys are retired or replaced and possibly retained?

Explanation:
When cryptographic keys are retired or replaced, you don’t just discard them if there might be data that was encrypted with them. The right approach is to archive those keys securely, so they can be used for decryption or verification of existing data if needed. This archiving must be done under strong controls—appropriate access restrictions, encryption at rest, integrity protections, and audit logs—and you keep them only as long as there is a legitimate need to decrypt or verify retained data. This ensures you can access historical information or verify past transactions while keeping the keys protected from unauthorized access. Deleting keys immediately would remove any possibility of recovering encrypted data. Sharing archived keys with contractors would weaken security through broad access. Storing keys in an unprotected plain text file is insecure. Archive, protect, and limit access to keys only for the purpose of future decryption or verification.

When cryptographic keys are retired or replaced, you don’t just discard them if there might be data that was encrypted with them. The right approach is to archive those keys securely, so they can be used for decryption or verification of existing data if needed. This archiving must be done under strong controls—appropriate access restrictions, encryption at rest, integrity protections, and audit logs—and you keep them only as long as there is a legitimate need to decrypt or verify retained data. This ensures you can access historical information or verify past transactions while keeping the keys protected from unauthorized access.

Deleting keys immediately would remove any possibility of recovering encrypted data. Sharing archived keys with contractors would weaken security through broad access. Storing keys in an unprotected plain text file is insecure. Archive, protect, and limit access to keys only for the purpose of future decryption or verification.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy