In version 3.2.1 of the PCI DSS, sections 3.6.4 and 3.6.5 say that applications must have procedures for changing or replacing encryption keys.
For encryption of Aria tables, if an encryption key is rotated, then I believe that existing encrypted pages continue to use the old version of the encryption key. As far as I know, MariaDB does not have any mechanism to re-encrypt existing Aria pages with a new encryption key or a new version of an encryption key. In order to re-encrypt existing pages, I believe that the table would need to be rebuilt. e.g.:
This limitation would make it a bit more difficult for our users to satisfy these requirements of the PCI DSS.
MDEV-18971 would probably need to be implemented before we can implement this.