Ingenico ict250 ZVT

I had an interesting exchange on Google+ the other day regarding whether or not encrypted data is in scope for PCI compliance. In the end it was suggested that I write a blog entry regarding this topic as they said how to treat encryption has not been articulated very clearly by the PCI SSC. I would argue that the rules regarding encryption and scope have been very clearly articulated in the PCI SSC’s FAQ #1086. However, based on the conversation we had, it was obvious that this is not the case. So here are the rules as practiced by most QSAs.

The key to how to interpret whether or not encrypted cardholder data is in-scope is in the FAQ. Encrypted cardholder data (stored or transmitted) being out of scope is based on whether or not that data meets the following definition.

“It is possible that encrypted data may potentially be out of scope for a particular entity if, and only if, it is validated (for example, by a QSA or ISA) that the entity in possession of the encrypted data does not have access to the cleartext cardholder data or the encryption process, nor do they have the ability to decrypt the encrypted data.”

The important phrase in the aforementioned definition is “if, and only if.” The only way encrypted cardholder data (CHD) is out of scope is if the entity being assessed for PCI compliance cannot decrypt the encrypted CHD. This is a very important concept that gets constantly misinterpreted by QSAs and their clients. However, it is up to the QSA to confirm that the organization being assessed cannot decrypt the encrypted CHD and to document the procedures conducted to prove that fact.

With that as background, let us look at storing and transmitting encrypted data and how they can be out of scope and what that means. As you will see, out of scope can mean different things depending on the implementation of encryption.

Stored Cardholder Data