FAQ #1086 Diff
Is encrypted cardholder data considered cardholder data that must be protected in accordance with PCI DSS?
Earlier Version
Later Version
Removed
Added
Encryption of cardholder data with strong cryptography is an acceptable method of rendering the data unreadable according to PCI DSS Requirement 3.5.1. However, encryption alone is insufficient to render the cardholder data out of scope for PCI DSS.ForDSS.
For more information, refer to PCI DSSv4.0v4.x section 4 Scope of PCI DSS Requirements, subsection Encrypted Cardholder Data and Impact on PCI DSS Scope.ReferScope.
Refer to the following related FAQs:
FAQ 1233: How does encrypted cardholder data impact PCI DSS scope for third-party serviceproviders?FAQproviders?
FAQ 1158: What effect does the use of a PCI-listed P2PE solution have on a merchant's PCI DSS validation?
For more information, refer to PCI DSS
Refer to the following related FAQs:
FAQ 1233: How does encrypted cardholder data impact PCI DSS scope for third-party service
FAQ 1158: What effect does the use of a PCI-listed P2PE solution have on a merchant's PCI DSS validation?
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.