Where stored encrypted CHD is out of scope is when a third party controls the encryption keys. This most often occurs with tokenization. Under a tokenization scheme, the CHD is sent to a third party who then securely stores the CHD and returns a token that links the CHD at the third party to the token stored by the merchant. If the merchant needs to make any subsequent charges to the account, the merchant sends the stored token to the third party and the third party substitutes the stored CHD for the token and the transaction is completed. But since the merchant does not have access to the token creation process, the token is out of scope because it is no longer considered CHD.
According to this FAQ
The following are each in scope for PCI DSS:
- Systems performing encryption and/or decryption of cardholder data, and systems performing key management functions
- Encrypted cardholder data that is not isolated from the encryption and decryption and key management processes
- Encrypted cardholder data that is present on a system or media that also contains the decryption key
- Encrypted cardholder data that is present in the same environment as the decryption key
- Encrypted cardholder data that is accessible to an entity that also has access to the decryption key
So my question is if the CHD is encrypted in transit (TLS 1.2) to the CDE, encrypted inside the CDE with a key received over TLS from an HSM isolated from the CHD database and on a separate network from the CDE, and then encrypted CHD is transmitted over TLS to be stored in the database, is the database in scope and is the encrypted CHD still CHD?
- The database does not perform encryption and/or decryption of cardholder data, and does not perform key management functions and does not store the encryption keys.
- The encrypted CHD stored on the database is isolated from the encryption and decryption and key management processes. HSM does not have access to database server, database server does not have access to HSM. The CDE is on a differenet network segment from the HSM.
- The encrypted CHD stored on databse is not present on a system or media that also contains the decryption key. The decryption keys are stored in HSM appliance only.
- The encrypted CHD stored on database is not present in the same network environment as the decryption key.
- The encrypted CHD stored on the database is accessible to the entity that also has access to the decryption key.
Because so many people have our information, and we can’t really change that information, we can no longer authorize transactions based only on having that data. It’s pretty obvious when you think about it. What we’re going to have to do is some sort of composite authentication, where you have multiple factors in place at once, and at least one of those will likely include a live visual component. Expect in-person authentication to become a lot more popular in coming years, with services like notaries getting used more frequently. And as the technology becomes available, expect to see digital forms of in-person identity validation as well—things like proving you’re at a particular location, doing bio-based auth, someone not validating that you are you unless they can see you and talk to you, etc.