FAQ #1086 Diff

Is encrypted cardholder data considered cardholder data that must be protected in accordance with PCI DSS?

Earlier Version
2016-08-16T00:00:00+00:00

Later Version
2024-02-28T00:41:00+00:00

Removed

Added

This FAQ has been updated in consideration of changes to payment environments and standards, including the PCI P2PE Standard.

Use of encryption in a merchant environment does not remove the need for PCI DSS in that environment. The merchant environment is still in scope for PCI DSS due to the presence of cardholder data. For example, in a card-present environment, merchants have physical access to the payment cards in order to complete a transaction and may also have paper reports or receipts with cardholder data. Similarly, in card-not-present environments, such as mail-order or telephone-order, payment card details are provided via channels that need to be evaluated and protected according to PCI DSS.

Encryption of cardholder data with strong cryptography is an acceptable method of rendering the data unreadable ~~in order~~according to ~~meet~~ PCI DSS Requirement ~~3.4.~~3.5.1. However, encryption alone ~~may~~is ~~not be sufficient~~insufficient to render the cardholder data out of scope for PCI DSS.

TheDSS.For ~~following~~more ~~are~~information, ~~each~~refer ~~in scope for~~to PCI DSS:

SystemsDSS ~~performing~~v4.0 ~~encryption~~section ~~and/or~~4 ~~decryption~~Scope of ~~cardholder~~PCI ~~data,~~DSS Requirements, subsection Encrypted Cardholder Data and systems performing key management functions
Encrypted cardholder data that is not isolated from the encryption and decryption and key management processes
Encrypted cardholder data that is presentImpact on aPCI ~~system~~DSS or media that also contains the decryption key
Encrypted cardholder data that is present in the same environment as the decryption key
Encrypted cardholder data that is accessible to an entity that also has accessScope.Refer to the ~~decryption~~following key

Whererelated a third party receives and/or stores only data encrypted by another entity, and where they do not have the ability to decrypt the data, the third party may be able to consider the encrypted data out of scope if certain conditions are met. For further guidance, refer toFAQs: FAQ 1233: How does encrypted cardholder data impact PCI DSS scope for third-party service providers?

Additionally, for information about how a merchant may receive scope reduction through use of a validated P2PE solution, please see the FAQproviders?FAQ 1158: What effect does the use of a PCI-listed P2PE solution have on a ~~merchant?s~~merchant's PCI DSS validation?

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.