PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Reference Content: This is a copy of content from the PCI Security Standards Council FAQ database, preserved for tracking changes over time.
View Original →
FAQ #1233 Published

How does encrypted cardholder data impact PCI DSS scope for third-party service providers?

Where a third-party service provider (TPSP) receives and/or stores only data encrypted by another entity, and where they do not have the ability to decrypt the data, the TPSP may be able to consider the encrypted data out of scope if the TPSP has no access to the decryption keys or to the clear-text data.For more information, refer to PCI DSS v4.0 section 4 Scope of PCI DSS Requirements, subsection Use of Third-Party Service Providers.Refer to FAQ 1086: How does encrypted cardholder data impact PCI DSS scope?

View original on PCI SSC website View all versions Back to recent changes

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.