Encryption Key renewal

IDPMS is encrypting credit card information with a Data Encryption key (DEK). Each hotel has its own unique DEK. In order to stay PCI compliant, the key renewal process to generate new data encryption keys has to be started at least once a year. IDPMS offers an option to initiate a DEK renewal. With this option Hotels can renew the DEK themselves.

Warning to renew the keys

30 days prior to the expiration date of the DEK (or 335 days after the last renewal date) a warning to renew the keys is send to users that are part of the user group marked as Update Admin. See Groups. This warning will be send in IDPMS mail.   
20 days later (or 355 days after the last renewal date) the update admin users will receive another warning. This warning is also displayed at night audit.
If the DEK is not renewed after 365 days, a warning to renew the keys will be displayed at every night audit. Furthermore this warning is send to each Update admin user via IDPMS mail.

DEK renewal process steps

• Creation of a new DEK
• Decryption of the existing credit card data with the old DEK
• Re-encryption of the credit card data with the new DEK

! Important note:

• During the DEK renewal and credit card data re-encryption process, IDPMS users can continue their work. For successful re-encryption, it is not required to log off all IDPMS users prior to starting this process.
• All interfaces must be switched off prior to starting the DEK renewal process.

Starting a DEK renewal

The DEK renewal is started from the IDPMS Extra > Tools > PCI menu.

After choosing the Encryption Key renewal option, additional warning messages are displayed if the user really wants to start the DEK renewal process.

The following screens inform the user of the process steps.

If the user chooses to continue the DEK renewal process, IDPMS will ask to save a Key File to disk.

! Note:

• This file is not the actual DEK but a file with random data from which IDPMS can re-create the DEK.
• This Key file must be kept in safe storage! If for some reason the DEK itself is lost or damaged, this saved Key file is the only way to recover encrypted credit card data.
• Save this file to a USB key and store in a safe place! After the Key file has been saved, the DEK renewal process is started. Depending on the amount of data, this can take up to one hour and cannot be interrupted. After the process has finished all interface must be started.