Information Security
pci-dss pci-scope
Updated Fri, 17 Jun 2022 12:34:45 GMT

Store PCI DSS data in an encrypted form in non PCI DSS scope


Am I allowed to save a strongly encrypted archive containing the CHD on an external storage which is outside our PCI-DSS infrastructure ?

For example, we'd like to save an encrypted backup archive for last resort purpose on a server which is hosted inside our office.

The data is useless without the passwords, but if everything in the datacenter burns down, it would give us a chance to rebuild everything quickly. Each password would be hold by a single person.

We've got an affirmative answer from securityMetrics by the way, but we fear it is just an answer bot.




Solution

Using that external storage effectively brings it within PCI scope, however you are correct:

If you have strong encryption sufficient to protect the data, and can evidence that, storing it on an archive should be allowed.

Don't try and word it as outside PCI scope though - account for it in the usual way when speaking with your QSA, and include the info you have presented here.





Comments (1)

  • +0 – Thanks, as I understand the encryption keys are to be kept in PCI scope as they're the only way to get the data back. — Jun 13, 2016 at 09:04