FAQ #1233 Diff

Where a third-party service provider (TPSP) receives and/or stores only data encrypted cardholderby dataanother isentity, sharedand withwhere athey thirddo party,not responsibility for the data generally remains with the entity or entities withhave the ability to decrypt the data or impactdata, the securityTPSP ofmay be able to consider the encrypted data.data Determining which party is responsible for specific PCI DSS controls will depend on a numberout of factors,scope suchif asthe whoTPSP has no access to the decryption keys,keys or to the roleclear-text performeddata.For bymore eachinformation, party, and the agreement between parties. Responsibilities should be clearly defined and documentedrefer to ensurePCI bothDSS thev4.0 third-partysection and4 theScope entityof providingPCI theDSS encryptedRequirements, datasubsection understandUse whoof isThird-Party responsibleService forProviders.Refer whichto securityFAQ controls.

As1086: anHow example, a third-party storage provider receives and storesdoes encrypted cardholder data provided by merchants for back-up purposes. The storage provider does not have access to the encryption or decryption keys, nor do they perform any key management for their merchant customers. The provider does, however, maintain responsibility for controlling access to the encrypted data storage as part of this particular service agreement.

Responsibility for ensuring that the encrypted data and the cryptographic keys are protected according to applicableimpact PCI DSS requirements is often shared between entities. In the above example, the merchant determines which of their personnel are authorized to access the storage media, and the storage facility manages the physical and/or logical access controls to ensure that only persons authorized by the merchant are granted access to the storage media. The specific PCI DSS requirements applicable to the service provider will depend on the services provided and the agreement between the two parties. In this example, the physical and logical access controls provided by the storage facility will need to be reviewed at least annually. This review could be performed as part of the merchant?s PCI DSS compliance or, alternatively, the review could be performed and controls validated by the storage facility with appropriate evidence provided to the merchant.

As another example, a third party that receives only encrypted cardholder data for the purposes of routing to other entities, and that does not have access to the cardholder data or cryptographic keys, may not have any PCI DSS responsibility for that encrypted data. In this scenario, where the third party is not providing any security services or access controls, they may be considered the same as a public or untrusted network, and it would be the responsibility of the entity(s) sending/receiving cardholder data through the third party?s network to ensure PCI DSS controls are applied to protect the data being transmitted.

Whether service providers are required to validate PCI DSS compliance is determined by individual payment brand programs.scope?