Which of the following statements is true whenever a cryptographic key is retired and replaced with a new key?
A. The retired key must not be used for encryption operations
B. Cryptographic key components from the retired key must be retained for 3 months before disposal
C. A new key custodian must be assigned
D. All data encrypted under the retired key must be securely destroyed
Answer: A
Explanation:
PCI DSS Requirement 3.6.4 states that entities must retire or replace keys when the keys have reached the end of their cryptoperiod, which is the time span during which a specific key can be used for cryptographic operations1. The retired key must not be used for encryption operations, as it may have been compromised or weakened by cryptanalysis, and may not provide adequate protection for the data. A The retired key may still be used for decryption operations, if needed, to access historical data that was encrypted under the retired key2. Therefore, the correct answer is option A.
The other options are not true regarding the cryptographic key retirement and replacement. A Option B is not true because PCI DSS does not specify a retention period for the cryptographic key components from the retired key, although it requires entities to securely delete cryptographic material when it is no longer needed for business or legal reasons1. Option C is not true because PCI DSS does not require a new key custodian tobe assigned, although it requires entities to define and document the roles, responsibilities, and accountability of all key custodians1. Option D is not true because PCI DSS does not require all data encrypted under the retired key to be securely destroyed, although it requires entities to render cardholder data unreadable when it is no longer needed for business or legal reasons1. A References:
PCI DSS v3.2.1
Cryptographic Key Blocks – PCI Security Standards Council
Latest ASSESSOR_NEW_V4 Dumps Valid Version with 60 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund