Frequently Asked Question

How does encrypted cardholder data impact PCI DSS scope?

Encryption of cardholder data with strong cryptography is an acceptable method of rendering the data unreadable according to PCI DSS Requirement 3.5.1. However, encryption alone is insufficient to render the cardholder data out of scope for PCI DSS.

For more information, refer to PCI DSS v4.0 section 4 Scope of PCI DSS Requirements, subsection Encrypted Cardholder Data and Impact on PCI DSS Scope.

Refer to the following related FAQs:

FAQ 1233: How does encrypted cardholder data impact PCI DSS scope for third-party service providers?

FAQ 1158: What effect does the use of a PCI-listed P2PE solution have on a merchant's PCI DSS validation?

Last updated: February 2024
Originally published: April 2012
Article Number: 1086

Featured FAQ Articles