4

Am I allowed to save a strongly encrypted archive containing the CHD on an external storage which is outside our PCI-DSS infrastructure ?

For example, we'd like to save an encrypted backup archive for last resort purpose on a server which is hosted inside our office.

The data is useless without the passwords, but if everything in the datacenter burns down, it would give us a chance to rebuild everything quickly. Each password would be hold by a single person.

We've got an affirmative answer from securityMetrics by the way, but we fear it is just an answer bot.

BitLegacy01
  • 75
  • 3
  • 1
    Simple question. How do you think people cope with PCI-DSS compliance when they use tapes with off-site rotation as part of their backup routine ? Personally I would be more worried about the security of your encryption keys, "giving passwords to people" ... hmmm.... – Little Code Jun 06 '16 at 11:45
  • @LittleCode Thanks, I didn't think of that. By "people", I mean the CEO and CTO, and they wouldn't store it cleartext. But indead, this is an important point to think about: how keys would be managed. – BitLegacy01 Jun 07 '16 at 07:27
  • 1
    This very question was answered in the official PCI SSC FAQ: https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/Is-encrypted-cardholder-data-in-scope-for-PCI-DSS – Artem Bychkov Jun 08 '16 at 08:38

1 Answers1

8

Using that external storage effectively brings it within PCI scope, however you are correct:

If you have strong encryption sufficient to protect the data, and can evidence that, storing it on an archive should be allowed.

Don't try and word it as outside PCI scope though - account for it in the usual way when speaking with your QSA, and include the info you have presented here.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • Thanks, as I understand the encryption keys are to be kept in PCI scope as they're the only way to get the data back. – BitLegacy01 Jun 13 '16 at 09:04