Frequently Asked Question

How does encrypted cardholder data impact PCI DSS scope for third-party service providers?

Where encrypted cardholder data is shared with a third party, responsibility for the data generally remains with the entity or entities with the ability to decrypt the data or impact the security of the encrypted data. Determining which party is responsible for specific PCI DSS controls will depend on a number of factors, such as who has access to the decryption keys, the role performed by each party, and the agreement between parties. Responsibilities should be clearly defined and documented to ensure both the third-party and the entity providing the encrypted data understand who is responsible for which security controls.

As an example, a third-party storage provider receives and stores encrypted cardholder data provided by merchants for back-up purposes. The storage provider does not have access to the encryption or decryption keys, nor do they perform any key management for their merchant customers. The provider does, however, maintain responsibility for controlling access to the encrypted data storage as part of this particular service agreement.

Responsibility for ensuring that the encrypted data and the cryptographic keys are protected according to applicable PCI DSS requirements is often shared between entities. In the above example, the merchant determines which of their personnel are authorized to access the storage media, and the storage facility manages the physical and/or logical access controls to ensure that only persons authorized by the merchant are granted access to the storage media.  The specific PCI DSS requirements applicable to the service provider will depend on the services provided and the agreement between the two parties. In this example, the physical and logical access controls provided by the storage facility will need to be reviewed at least annually. This review could be performed as part of the merchant’s PCI DSS compliance or, alternatively, the review could be performed and controls validated by the storage facility with appropriate evidence provided to the merchant.

As another example, a third party that receives only encrypted cardholder data for the purposes of routing to other entities, and that does not have access to the cardholder data or cryptographic keys, may not have any PCI DSS responsibility for that encrypted data. In this scenario, where the third party is not providing any security services or access controls, they may be considered the same as a public or untrusted network, and it would be the responsibility of the entity(s) sending/receiving cardholder data through the third party’s network to ensure PCI DSS controls are applied to protect the data being transmitted. 

Whether service providers are required to validate PCI DSS compliance is determined by individual payment brand programs.  

August 2016
Article Number: 1233