A plurality of storage location numbers (“SLNs”), each having a cryptographic period, is received at a first device (100). A system cryptographic period is determined based on the SLN cryptographic periods. Prior to expiration of each system cryptographic period, if at least one SLN requires an updated, the first device sends updated key material for the at least one SLN. A second device (102) maintains first, second, and third keysets, wherein the first and second keysets comprise key material. The second device receives a message to make the first keyset active, and a second message for updating at least a portion of the key material in the second keyset with updated key material for at least one SLN. The second device makes the third keyset equivalent to the second keyset, updates the second keyset with the updated key material, and receives a third message to make the second keyset active.