Payment Card Industry Data Security Standard: Requirements and Testing Procedures, v4.0 March 2022
© 2006 - 2022 PCI Security Standards Council, LLC. All rights reserved. Page 15
Note: A PCI-listed P2PE solution can significantly reduce the number of PCI DSS requirements applicable to a merchant’s cardholder data
environment. However, it does not completely remove the applicability of PCI DSS in the merchant environment.
Encrypted Cardholder Data and Impact to PCI DSS Scope for Third-Party Service Providers
Where a third-party service provider (TPSP) receives and/or stores only data encrypted by another entity, and where they do not have the
ability to decrypt the data, the TPSP may be able to consider the encrypted data out of scope if certain conditions are met. This is because
responsibility for the data generally remains with the entity, or entities, with the ability to decrypt the data or impact the security of the
encrypted data. Determining which party is responsible for specific PCI DSS controls will depend on several factors, including who has access
to the decryption keys, the role performed by each party, and the agreement between parties. Responsibilities should be clearly defined and
documented to ensure both the TPSP and the entity providing the encrypted data understand which entity is responsible for which security
controls.
As an example, a TPSP providing storage services receives and stores encrypted cardholder data provided by customers for back-up
purposes. This TPSP does not have access to the encryption or decryption keys, nor does it perform any key management for its customers.
The TPSP can exclude any such encrypted data when determining its PCI DSS scope. However, the TPSP does maintain responsibility for
controlling access to the encrypted data storage as part of its service agreements with its customers.
Responsibility for ensuring that the encrypted data and the cryptographic keys are protected according to applicable PCI DSS requirements is
often shared between entities. In the above example, the customer determines which of their personnel are authorized to access the storage
media, and the storage facility is responsible for managing the physical and/or logical access controls to ensure that only persons authorized
by the customer are granted access to the storage media. The specific PCI DSS requirements applicable to a TPSP will depend on the
services provided and the agreement between the two parties. In the example of a TPSP providing storage services, the physical and logical
access controls provided by the TPSP will need to be reviewed at least annually. This review could be performed as part of the merchant’s
PCI DSS assessment or, alternatively, the review could be performed, and controls validated, by the TPSP with appropriate evidence provided
to the merchant. For information about “appropriate evidence,” see Options for TPSPs to Validate PCI DSS Compliance for TPSP Services
that Meet Customers’ PCI DSS Requirements.
As another example, a TPSP that receives only encrypted cardholder data for the purposes of routing to other entities, and that does not have
access to the data or cryptographic keys, may not have any PCI DSS responsibility for that encrypted data. In this scenario, where the TPSP
is not providing any security services or access controls, they may be considered the same as a public or untrusted network, and it would be
the responsibility of the entity(s) sending/receiving account data through the TPSP’s network to ensure PCI DSS controls are applied to
protect the data being transmitted.