Generally,Where encrypted cardholder data stored atis shared with a third party, responsibility for the data generally remains with the entity or entities with the ability to decrypt the data or impact the security of the encrypted data. Determining which party is responsible for specific PCI DSS controls will depend on a number of factors, such as who has access to the decryption keys, the role performed by each party, and the agreement between parties. Responsibilities should be clearly defined and documented to ensure both the third-party storage provider remains the responsibility of the storage provider?s customerand the entity providing the encrypted data understand who is storing the data. However, determiningresponsible for which party is responsible for maintaining PCI DSS controls will also depend on which entity controls and/or has access to the decryption keys, and the specific agreement between the third-party storage provider and their customer.security controls.
As an example, ifa third-party storage media containingprovider receives and stores encrypted data also contains thecardholder data provided by merchants for back-up purposes. The storage provider does not have access to the encryption or decryption keys, nor do they perform any key management for their merchant customers. The provider does, however, maintain responsibility for controlling access to the encrypted data storage as part of this particular service agreement.
Responsibility for ensuring that the encrypted data and the cryptographic keys are protected according to applicable PCI DSS requirements is often shared between entities. In the above example, the merchant determines which of their personnel are authorized to access the storage media, and the storage facility manages the physical and/or logical access controls to ensure that only persons authorized by the merchant are granted access to the storage media. The specific PCI DSS requirements applicable to the service provider will depend on the services provided and the agreement between the two parties. In this example, the physical and logical access controls provided by the storage facility will need to be reviewed at least annually. This review could be performed as part of the merchant?s PCI DSS compliance or, alternatively, the review could be performed and controls validated by the storage facility with appropriate evidence provided to the merchant.
As another example, a third party that receives only encrypted cardholder data for the purposes of routing to other entities, and that does not have access to the cardholder data or if the mediacryptographic keys, may not have any PCI DSS responsibility for that encrypted data. In this scenario, where the third party is stored innot providing any security services or access controls, they may be considered the same environment as the keys,a public or the media is accessible to an entity who also has access to the keys, then the ability to decrypt the data exists and all applicableuntrusted network, and it would be the responsibility of the entity(s) sending/receiving cardholder data through the third party?s network to ensure PCI DSS requirements would apply to that storage environment.
In another example, if a merchant stores media containing only encrypted data at a third-party back-up storage facility, and the third-party provider has no access to decryption keys and no ability to decrypt the data, then the presence of encrypted data alone would not bring the third-party provider into scope for PCI DSS.The merchant would be responsible for ensuring that both the encrypted data and the cryptographic keyscontrols are protected according to applicable PCI DSS requirements. For example, access controls must be in place at the storage facility to ensure that only authorized persons (as determined by the merchant) have access to the storage media at the facility, and that access is not mistakenly granted to persons with the ability to decrypt the data.applied to protect the data being transmitted.
Whether the specific access controlsservice providers are validated as part of the third-party provider?srequired to validate PCI DSS compliance or as part of the merchant?s PCI DSS compliance will depend on how the controls are implemented and the particular agreement in place between the parties.Whether the storage provider is required to validate PCI DSS compliance is determined by individual payment brand programs.
