I have a question related to this FAQ:
It says:
The following are each in scope for PCI DSS:
- Systems performing encryption and/or decryption of cardholder data, and systems performing key management functions
- Encrypted cardholder data that is not isolated from the encryption and decryption and key management processes
- Encrypted cardholder data that is present on a system or media that also contains the decryption key
- Encrypted cardholder data that is present in the same environment as the decryption key
- Encrypted cardholder data that is accessible to an entity that also has access to the decryption key
In respect to: Encrypted cardholder data that is accessible to an entity that also has access to the decryption key
That implies if you have an area in company, and that area gives a token to a third party in other company ( by token I mean a PAN encrypted with strong crypto and Google Bank has the key in an HSM), that third party is out of scope of PCI, because it doesn't have access to the key material to decrypt it. However, if the area of the company gives the token to another area, which belongs to the same company but it's in a different infrastructure and doesn't have access to the keys, it would be in scope of PCI?
This seems to contradict a paragraph of network segmentation from PCI DSS
"To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the CDE, such that even if the out-of-scope system component was compromised it could not impact the security of the CDE."