FAQ #1233 Diff
Are third-party storage providers storing only encrypted cardholder data in scope for PCI DSS?
Earlier Version
Later Version
Removed
Added
Where a third-party service provider (TPSP) receives and/or stores only data encrypted by another entity, and where they do not have the ability to decrypt the data, the TPSP may be able to consider the encrypted data out of scope if the TPSP has no access to the decryption keys or to the clear-text data.Fordata.
For more information, refer to PCI DSSv4.0v4.x section 4 Scope of PCI DSS Requirements, subsection Use of Third-Party Service Providers.ReferProviders.
Refer to FAQ 1086: How does encrypted cardholder data impact PCI DSS scope?
For more information, refer to PCI DSS
Refer to FAQ 1086: How does encrypted cardholder data impact PCI DSS scope?
Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.