Frequently Asked Question

How does encrypted cardholder data impact PCI DSS scope for third-party service providers?

Where a third-party service provider (TPSP) receives and/or stores only data encrypted by another entity, and where they do not have the ability to decrypt the data, the TPSP may be able to consider the encrypted data out of scope if the TPSP has no access to the decryption keys or to the clear-text data.

For more information, refer to PCI DSS v4.0 section 4 Scope of PCI DSS Requirements, subsection Use of Third-Party Service Providers.

Refer to FAQ 1086: How does encrypted cardholder data impact PCI DSS scope?

Last updated: February 2024
Originally published: February 2013
Article Number: 1233

Featured FAQ Articles