0

I have a question related to this FAQ:

https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/How-does-encrypted-cardholder-data-impact-PCI-DSS-scope?q=how+does+encrypted+data+impact+the+scope&l=en_US&fs=Search&

It says:

The following are each in scope for PCI DSS:

  • Systems performing encryption and/or decryption of cardholder data, and systems performing key management functions
  • Encrypted cardholder data that is not isolated from the encryption and decryption and key management processes
  • Encrypted cardholder data that is present on a system or media that also contains the decryption key
  • Encrypted cardholder data that is present in the same environment as the decryption key
  • Encrypted cardholder data that is accessible to an entity that also has access to the decryption key

In respect to: Encrypted cardholder data that is accessible to an entity that also has access to the decryption key

That implies if you have an area in company, and that area gives a token to a third party in other company ( by token I mean a PAN encrypted with strong crypto and Google Bank has the key in an HSM), that third party is out of scope of PCI, because it doesn't have access to the key material to decrypt it. However, if the area of the company gives the token to another area, which belongs to the same company but it's in a different infrastructure and doesn't have access to the keys, it would be in scope of PCI?

This seems to contradict a paragraph of network segmentation from PCI DSS

"To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the CDE, such that even if the out-of-scope system component was compromised it could not impact the security of the CDE."

Polynomial
  • 132,208
  • 43
  • 298
  • 379
Samuel
  • 113
  • 1
  • 6
  • They are not the same company. Youtube and Google Bank would be completely different companies. I'm not sure that this is about security or even PCI. This seems to be dependent on the understanding of corporate entities? In your scenario, you never address what the quote actually says: "the same environment" and "access to the key". That's not about different companies. You seem to be jumping around in your understanding. – schroeder Sep 23 '21 at 16:29
  • I apologize if the example is not clear, I thought youtube and google belong both to alphabet, which would be the same entity. It could be portrayed in other words as simply saying is a different area of the company, run by different people and with different infrastructure. – Samuel Sep 23 '21 at 16:33
  • They are not the same entity at all. They would not have the same access to things like decryption keys. So, I think you need to provide a completely different question if your question is not about how Alphabet is structured. And if it is about how corporate entities are structured, then this isn't a security question. – schroeder Sep 23 '21 at 16:51
  • @Samuel Please don't revert formatting edits. – Polynomial Sep 23 '21 at 17:43
  • @Polynomial Sorry, I did it because I thought the question was confusing and re wrote it, you gave me the answer I needed, I think the question and the answer can be understood, thanks a lot – Samuel Sep 23 '21 at 17:46

1 Answers1

2

In this context, "entity" does not mean the same thing as "company" or "legal entity". It means an entity in a threat model, which is basically an umbrella for any system, group of systems, system component, person, or role. When "entity" is used to describe a group of things (e.g. a set of systems, or a role that might be occupied by multiple users) it usually implies that all of those entities share an equivalent security context and sphere of control.

This might sound a bit abstract, so let me give you an example. Let's say you've got a bunch of payment servers that are behind a load balancer. You could describe those payment servers as "an entity", even though they're a bunch of different actual servers, because they're all doing the same thing, all have access to the same information, and all share the same control sphere.

What they're saying in the post you linked is that if an entity has access to encrypted cardholder data, and it has access to the decryption key, then functionally speaking the entity has access to plaintext card data and it must be treated as in-scope for PCI-DSS.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • I realized this answer maybe wrong, they say: https://www.pcisecuritystandards.org/pci_security/glossary "Entity: Term used to represent the corporation, organization or business which is undergoing a PCI DSS review." Do you have a source of that? – Samuel Sep 23 '21 at 19:20
  • @Samuel The source for the quote you were asking about is not the PCI-DSS standard. I'm telling you what it means in the context of the article you linked. The specific language in the standard is different from what is used in the general case in security contexts. – Polynomial Sep 23 '21 at 19:38
  • Thanks for your reply, I believe your answer is what makes sense, but how do you know in the article I linked (from PCI) it means that in that context and not the definition of PCI? – Samuel Sep 24 '21 at 20:06
  • @Samuel Context. I used to work as a PCI ASV. – Polynomial Sep 24 '21 at 20:55