[li] As deemed necessary and recommended by the associated application (for example, re-keying); preferably automatically[/li][li] At least annually[/li][/ul]
3.6.4 Verify that key management procedures require periodic key changes. Verify that key change procedures are carried out at least annually
I understand that PCI DSS requires encryption keys to be changed annually. Is it necessary to decrypt all of the old data and re-encrypt it with the new key, or is it sufficient just to discontinue the use of the old key for encryption. Only new keys would be used for encryption. Then, after all old data using the old key is retired/destroyed, the old key would be destroyed since it would no longer be required for decryption.
It seems to me that the purpose of the rekeying requirement is to prevent the use of a key for very long periods of time, which if compromised would provide an attacker access to historical, current, and future data. With the method I described, a very successful attacker may have access to portions of the data, but not all, or even most of it.