Frequently Asked Question

Where a third-party service provider (TPSP) receives and/or stores only data encrypted by another entity, and where they do not have the ability to decrypt the data, the TPSP may be able to consider the encrypted data out of scope if the TPSP has no access to the decryption keys or to the clear-text data.

For more information, refer to PCI DSS v4.0 section 4 Scope of PCI DSS Requirements, subsection Use of Third-Party Service Providers.

Refer to FAQ 1086: How does encrypted cardholder data impact PCI DSS scope?