Generally, encrypted cardholder data stored at a third-party storage provider remains the responsibility of the storage provider?s customer who is storing the data. However, determining which party is responsible for maintaining PCI DSS controls will also depend on which entity controls and/or has access to the decryption keys, and the specific agreement between the third-party storage provider and their customer.

As an example, if storage media containing encrypted data also contains the decryption keys, or if the media is stored in the same environment as the keys, or the media is accessible to an entity who also has access to the keys, then the ability to decrypt the data exists and all applicable PCI DSS requirements would apply to that storage environment.

In another example, if a merchant stores media containing only encrypted data at a third-party back-up storage facility, and the third-party provider has no access to decryption keys and no ability to decrypt the data, then the presence of encrypted data alone would not bring the third-party provider into scope for PCI DSS.The merchant would be responsible for ensuring that both the encrypted data and the cryptographic keys are protected according to applicable PCI DSS requirements. For example, access controls must be in place at the storage facility to ensure that only authorized persons (as determined by the merchant) have access to the storage media at the facility, and that access is not mistakenly granted to persons with the ability to decrypt the data.

Whether the specific access controls are validated as part of the third-party provider?s PCI DSS compliance or as part of the merchant?s PCI DSS compliance will depend on how the controls are implemented and the particular agreement in place between the parties.Whether the storage provider is required to validate PCI DSS compliance is determined by individual payment brand programs.