Issue:
The current CA Payment Security PGP Public key in your system will expire on March 6, 2019. Customers may not be able to use this key for encrypting data upload files after this date, thus impacting the ability to upload cardholder data.

Background
A CA Payment Security PGP keys are used by CA Payment Security customers to encrypt cardholder data files prior to being consumed by CA Payment Security (Transaction Manager) solution. These cryptographic keys used in a PCI environment and are required to be changed every few years to limit the risk that the keys can be compromised or stolen. This article details the need for customers to update CA Payment Security PGP Public key that will expire on March 6, 2019. 

CA Payment Security PGP key expiration on March 6, 2019.

Customers must update the provided CA Payment Security PGP Public key (embedded in this KB article) in their systems on or before March 6, 2019. Depending on the software you use for PGP key management, the commands to import CA Payment Security PGP key may be different. here are pointers for some applications used for PGP

a)      GnuPG
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Step_by_Step_Guide/s1-gnupg-import.html

b)      Symantec Encryption Desktop for Windows
https://support.symantec.com/en_US/article.HOWTO42073.html

c)      PGP Command Line

https://support.symantec.com/en_US/article.TECH149827.html

d)      Authora
http://www.authora.com/documents/EDGEUserGuide.pdf      Page#31

e)      GoAnywhere
https://www.goanywhere.com/openpgp-studio/documentation/key-manager

FAQs:
1. What is PGP and why do we use it?

Answer: Please review the posting at: https://communities.ca.com/people/chama30/blog/2017/01/05/pgp-encryption for information on PGP and why we need to use it?

2. What is this key used for?

Answer: The public key is used for encrypting data to be shared with CA Payment Security Operations team, most commonly cardholder data to upload in CA Transaction Manager.

3. Why do we need to update PGP key?

Answer: All cryptographic keys used in a PCI environment must be changed every few years, because if the key is compromised or stolen the damage will be limited.

4. Do I need to do anything after import?

Answer: You must verify trust on the updated public key for more information about trusting a pgp key refer https://www.gnupg.org/gph/en/manual/x334.html If the key is not trusted, the software will prompt you for confirmation when using it, this may break your automated process.

5. Where can I find the new PGP Public Key?

Answer: You can find it embedded in this document.

6. For more questions on this topic, who could we reach out to?

Answer: For any questions or concerns related to this schedule, please contact the Payment Security Support team at [email protected] or by opening a support request at support.arcot.com.