Resetting the key-encrypting key

iMIS keys use encryption for securing sensitive cardholder information. The encryption keys used to store this data are also encrypted using a string stored in a key-encrypting key (KEK) file.

Warning! It is recommended that you do not modify or remove the key-encrypting key file. It is possible to irreparably damage the ability to retrieve encrypted information, including payment gateway passwords, which will prevent iMIS from processing financial transactions. If you inadvertently change or delete the key-encrypting key, contact ASI Technical Support immediately.

Warning! This operation will permanently modify data in your database. Back up your database before continuing with this operation.

To maintain PCI compliance with stored cardholder data, you must reset the key-encrypting key.

Note: Choose a time when the database can be offline for several hours. Re-encryption can take minutes or hours, depending on your data; once started, the re-encryption process must not be stopped.

Do the following:

  1. Back up your iMIS database.
  2. Back up the KEK.txt file.
  3. From a machine with Terminal access, go to the iMIS Scheduler page:
    1. Go to IIS Manager > Sites > Default Web Site.
    2. Select the Asi.Scheduler site.

      3. Note: In a multi-instance system, make sure you select the Asi.Scheduler site for the correct instance of iMIS.

    3. In the Manage Application > Browse Application section, click Browse *.443 (https) to open the iMIS Scheduler page.
  4. Click Log in. Enter your iMIS credentials.
  5. Select the Reset Encryption link. A page with a Reset KEK and Encryption Key button and a Remove Historical Encryption Data button is displayed.
  6. Do one of the following:
    • Click Reset KEK and Encryption Key (annual process):
      • Encryption keys and cardholder data are re-encrypted.
      • The key-encrypting key starting location is modified. The location of the key-encrypting key in the key-encrypting key file is changed.
      • A new KEK.txt file is generated. The pre-existing KEK.txt file is renamed Previous KEK.txt.

    Warning! This operation will permanently modify data in your database. This operation will also modify the key-encrypting key file. Back up your KEK file and your database before proceeding.
    This operation will interrupt financial transactions and can take a few seconds to several hours to complete. While this operation is running, do not restart IIS. Doing so could interrupt the operation.

    • Click Remove Historical Encryption Data (annual process). The following is deleted:
      • Prior encryption keys
      • Previous KEK.txt file

        • This process also writes the event to the PCIAuditLog. Once done, email links encrypted with such keys cannot resolve.

    7. Note: You must perform the Reset KEK and Encryption Key and Remove Historical Encryption Data operations at least once per year, every year.
    You must also perform these operations whenever anyone with access to the key-encrypting key leaves your organization, or whenever you suspect the file has been compromised.

    Allow the process to complete without interruption.

    Note: Refresh your browser to see when these processes are complete.