FAQ #1086 Diff
Is encrypted cardholder data considered cardholder data that must be protected in accordance with PCI DSS?
Earlier Version
Later Version
Removed
Added
This FAQ has been updated in consideration of changes to payment environments and standards, including the PCI P2PE Standard.
Use of encryption in a merchant environment does not remove the need for PCI DSS in that environment. TheCouncil willmerchant environment is still in scope for PCI DSS due to the presence of cardholder data. For example, in a card-present environment, merchants have physical access to the payment cards in order to complete a transaction and may also have paper reports or receipts with cardholder data. Similarly, in card-not-present environments, such as mail-order or telephone-order, payment card details are provided via channels that need to be developing more formal guidance around this topic, leveraging information that is received through the various channels of the DSS lifecycle feedback process. Until further guidance is provided by the Council, the following should be taken into consideration regarding encrypted cardholder data.evaluated and protected according to PCI DSS.
Encryptionsolutions are only as good as the industry-approved algorithms and key management practices used, including security controls surrounding the encryption/decryption keys (?Keys?). If Keys are left unprotected and accessible, anyone can decrypt the data. Theof cardholder data with strong cryptography is an acceptable method of rendering the data unreadable in order to meet PCI DSS has specificRequirement 3.4. However, encryption key management controls (DSS 3.5 and 3.6), however, other DSS controls such as firewalls, user access controls, vulnerability management, scanning, logging and application security provide additional layers of security to prevent malicious users from gaining privileged access to networks or cardholder data environments thatalone may grant them access to Keys. It is for this reason that encrypted cardholder data is innot be sufficient to render the cardholder data out of scope for PCI DSS.
However,The following are each in scope for PCI DSS:
Systems performing encryption and/or decryption of cardholder data, and systems performing key management functions
Encrypted cardholder data that is not isolated from the encryption and decryption and key management processes
Encrypted cardholder data that is present on a system or media that also contains the decryption key
Encrypted cardholder data that is present in the same environment as the decryption key
Encrypted cardholder data that is accessible to an entity that also has access to the decryption key
Where a third party receives and/or stores only data encrypteddataby another entity, and where they do not have the ability to decrypt the data, the third party may be deemedable to consider the encrypted data out of scope if, and only if, it has beenif certain conditions are met. For further guidance, refer to FAQ 1233: How does encrypted cardholder data impact PCI DSS scope for third-party service providers?
Additionally, for information about how a merchant may receive scope reduction through use of a validatedthat the entity that possesses encrypted cardholder dataP2PE solution, please see the FAQ 1158: What effect does notthe use of a PCI-listed P2PE solution have the means to decrypt it. Any technological implementation or vendor solution should be validated to ensure both physical and logical controls are in place in accordance with industry best practices, prohibiting the entity, or malicious users that may gain access to the entity?s environment, from obtaining access to Keys.
Furthermore, service providers or vendors that provide encryption solutions to merchants who have administrative access and controls to Keys along with the management of termination points for encryption to process transactions, are required to demonstrate physical and logical controls to protect cryptographic keys in accordance with industry best practices (such as NIST referenced inon a merchant?s PCI DSS requirement 3.6), along with full compliance with PCI DSS. Merchants should ensure their solution providers who provide key management services and/or act as the point of encryption/decryption are in compliance with PCI DSS.
Merchants should be aware that encryption solutions most likely do not remove them completely from PCI DSS. Examples of where DSS would still be applicable include usage policies, agreements with service providers that deploy payment solutions, physical protection of payment assets and any legacy data and processes (such as billing, loyalty, marketing databases) within the merchant’s environment that may still store, process or transmit clear text cardholder data, as that would remain in scope for PCI DSS.validation?
Use of encryption in a merchant environment does not remove the need for PCI DSS in that environment. The
Encryption
Systems performing encryption and/or decryption of cardholder data, and systems performing key management functions
Encrypted cardholder data that is not isolated from the encryption and decryption and key management processes
Encrypted cardholder data that is present on a system or media that also contains the decryption key
Encrypted cardholder data that is present in the same environment as the decryption key
Encrypted cardholder data that is accessible to an entity that also has access to the decryption key
Where a third party receives and/or stores only data encrypted
Additionally, for information about how a merchant may receive scope reduction through use of a validated
Furthermore, service providers or vendors that provide encryption solutions to merchants who have administrative access and controls to Keys along with the management of termination points for encryption to process transactions, are required to demonstrate physical and logical controls to protect cryptographic keys in accordance with industry best practices (such as NIST referenced in
Merchants should be aware that encryption solutions most likely do not remove them completely from PCI DSS. Examples of where DSS would still be applicable include usage policies, agreements with service providers that deploy payment solutions, physical protection of payment assets and any legacy data and processes (such as billing, loyalty, marketing databases) within the merchant’s environment that may still store, process or transmit clear text cardholder data, as that would remain in scope for PCI DSS.
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.