Is Encrypted Cardholder Data still Card Holder Data

Is Encrypted Cardholder Data still Card Holder Data

I am clear about scope. I am unclear about whether or not the encrypted CHD is still considered CHD after encryption.

According to this FAQ

The following are each in scope for PCI DSS:

  • Systems performing encryption and/or decryption of cardholder data, and systems performing key management functions
  • Encrypted cardholder data that is not isolated from the encryption and decryption and key management processes
  • Encrypted cardholder data that is present on a system or media that also contains the decryption key
  • Encrypted cardholder data that is present in the same environment as the decryption key
  • Encrypted cardholder data that is accessible to an entity that also has access to the decryption key

So my question is if the CHD is encrypted in transit (TLS 1.2) to the CDE, encrypted inside the CDE with a key received over TLS from an HSM isolated from the CHD database and on a separate network from the CDE, and then encrypted CHD is transmitted over TLS to be stored in the database, is the database in scope and is the encrypted CHD still CHD?

To clarify.

  • The database does not perform encryption and/or decryption of cardholder data, and does not perform key management functions and does not store the encryption keys.
  • The encrypted CHD stored on the database is isolated from the encryption and decryption and key management processes. HSM does not have access to database server, database server does not have access to HSM. The CDE is on a differenet network segment from the HSM.
  • The encrypted CHD stored on databse is not present on a system or media that also contains the decryption key. The decryption keys are stored in HSM appliance only.
  • The encrypted CHD stored on database is not present in the same network environment as the decryption key.
  • The encrypted CHD stored on the database is accessible to the entity that also has access to the decryption key.