We still have clients ask us this question from time to time. Unfortunately, simply encrypting Cardholder data (CHD) doesn’t necessarily de-scope it. Under most circumstances, if encrypted CHD is stored, processed or transmitted it will still be in the scope of PCI DSS because often the decryption keys are held within the same environment as the encrypted CHD.
Exceptions to this rule
The PCI Security Standards Council (PCI SSC) released a standard in June 2013 called Point-to-Point Encryption. The PCI P2PE standard is designed for the secure encryption of CHD at the point of capture until it reaches a secure decryption environment. If organizations are using a PCI SSC validated P2PE Solution, the network traffic isn’t in scope for PCI DSS, therefore the network used to support transmission for the Point-of-Interaction (POI) devices (aka PEDs/PDQs) traffic isn’t in scope.
In a P2PE environment, only the POI devices are in scope for assessment activities. The reason for this is because the encryption is designed in a way that only the decryption environment can feasibly decrypt the data.
How about third-party backup providers?
Typically, the provider will store encrypted backup sets; however, the provider will not have access to the decryption keys which will only be held by the client. Because the provider cannot feasible decrypt the data, the CHD would not be in scope for the provider. This is further discussed within the following PCI SSC Frequently Asked Questions articles; “How does encrypted cardholder data impact PCI DSS scope?” and “How does encrypted cardholder data impact PCI DSS scope for third-party service providers?“
Read more about encryption in our blog post on Requirement 4 of PCI DSS
Read more about Encryption and GDPR