Did you know that the Frequently Asked Questions (FAQ) resource on the PCI SSC website is updated regularly to address common questions the PCI SSC receives from stakeholders? This searchable tool includes a library of questions and answers on a variety of topics across PCI Security Standards and programs. In this blog series we highlight some of our most viewed FAQs. Here we look at FAQ article 1086 on the impact of encrypted cardholder data on PCI DSS scope.
Q: How does encrypted cardholder data impact PCI DSS scope?
A: This FAQ has been updated in consideration of changes to payment environments and standards, including the PCI Point-to-Point Encryption (P2PE) Standard.
Use of encryption in a merchant environment does not remove the need for PCI Data Security Standard (PCI DSS) in that environment. The merchant environment is still in scope for PCI DSS due to the presence of cardholder data. For example, in a card-present environment, merchants have physical access to the payment cards in order to complete a transaction and may also have paper reports or receipts with cardholder data. Similarly, in card-not-present environments, such as mail-order or telephone-order, payment card details are provided via channels that need to be evaluated and protected according to PCI DSS.
Encryption of cardholder data with strong cryptography is an acceptable method of rendering the data unreadable in order to meet PCI DSS Requirement 3.4. However, encryption alone may not be sufficient to render the cardholder data out of scope for PCI DSS.
The following are each in scope for PCI DSS:
- Systems performing encryption and/or decryption of cardholder data, and systems performing key management functions
- Encrypted cardholder data that is not isolated from the encryption and decryption and key management processes
- Encrypted cardholder data that is present on a system or media that also contains the decryption key
- Encrypted cardholder data that is present in the same environment as the decryption key
- Encrypted cardholder data that is accessible to an entity that also has access to the decryption key
Where a third party receives and/or stores only data encrypted by another entity, and where they do not have the ability to decrypt the data, the third party may be able to consider the encrypted data out of scope if certain conditions are met. For further guidance, refer to FAQ 1233: How does encrypted cardholder data impact PCI DSS scope for third-party service providers?
Additionally, for information about how a merchant may receive scope reduction through use of a validated P2PE solution, please see the FAQ 1158: What effect does the use of a PCI-listed P2PE solution have on a merchant’s PCI DSS validation?
