For organizations that do not seem so essential but outsource their payment card processing to third-party service providers, one of the first lines of defense in the battle against payment card-related cybercrime is service provider security and safeguards.
No organization can do everything by itself. Most organizations, such as backup tape storage facilities, web hosting companies, security service providers, have a relationship with a third party or vendor.
As a result, PCI Requirement 12.8 focuses on vendor management and mandates that companies develop and execute policies and processes to manage service providers with whom cardholder data is shared or who may compromise cardholder data security.
PCI DSS Requirement 12.8 states that any entity involved in payment card processing, including merchants, processors, buyers, issuers, and service providers, must have policies and procedures in place to manage their service providers.
The Payment Card Industry Data Security Standard (PCI DSS) contains requirements aimed at helping protect cardholder data. PCI DSS requirement 12.8 requires vendors to manage third-party service providers to protect their customers’ card data effectively.
PCI DSS Requirement 12.8 relates to requirements covering the core PCI DSS controls of doing business with a third-party service provider and the partner’s impact on your compliance.
Everything in your company’s existence can depend on a service provider. You should think of your third-party service providers as an extension of your company, even if they are separate entities. Having a breach with your service provider will affect you as well.
Even if this breach results from a third-party service provider, you should pre-measure the effects and determine the risk. That’s why we need to take third-party service provider security seriously and make reasonable efforts to ensure you have all the elements required for compliance.
PCI DSS requirement 12.8 requires you to have a policy for dealing with third-party service providers. The policy need not be detailed but should provide control statements on how you manage your third-party service providers and detail the sub-requirements clear below.
When we review the PCI DSS Third Party Service Provider Requirements, we come across the following items:
Create a List of Service Providers you receive service from
The PCI DSS 12.8.1 requirement asks merchants to create a list of service providers to include a description of the services provided, such as web hosting, payment service provider, IT management. The service provider list is usually available in a spreadsheet that can also be used for other PCI DSS 12.8 requirements.
First, you should maintain a list of service providers with a description of the service provided per PCI DSS requirement 12.8.1. In the list, you may also keep embedded copies of contracts used for contact information and PCI DSS requirement 12.8.2.
While in the PCI assessment, your QSA auditor will check your list of service providers to ensure that it is maintained with up-to-date information.
PCI Requirement 12.8.1 specifically requires you to maintain a list of service providers with a description of the service provided. This list will assist you in identifying potential risks outside of your organization.
An auditor (QSA) will observe and analyze your list of service providers having access to cardholder data, as well as policies and procedures, to ensure compliance with PCI Requirement 12.8.1.
It’s improbable that a single payments company will be able to do everything on its own. Most organizations have service providers who help them manage their environment or perform some activity on their behalf.
Suppose you have service providers in your environment. In that case, PCI Requirement 12.8.1 requires that you have a program set up to maintain, or at least manage, the ongoing compliance of those organizations that will interact with cardholder data on your behalf.
To keep track of your service providers’ vendor management program, you’ll need to keep track of all the companies that can be deemed service providers since they interact with cardholder data on your behalf.
You must have agreements in place with the service providers who provide you with services.
The PCI DSS 12.8.2 requirement states that there must be agreements in place between a merchant and third-party service providers to enable customers to refer to the security of their card data.
PCI Requirement 12.8.2 focuses on relationships with service providers. It requires organizations to maintain a written agreement that includes acknowledging that service providers are responsible for the security of cardholder data. Service providers can significantly impact your cardholder data, so complying with this requirement is vital to ensuring data security.
This approval provides evidence of the service provider’s commitment to ensure the appropriate security of cardholder data it receives from its customers. PCI Requirement 12.8.2 works with PCI Requirement 12.9 to provide a consistent level of understanding between parties about compliance responsibilities.
PCI DSS requirement 12.8.2 mandates that you keep a written agreement in place that states that service providers are responsible for the security of cardholder data that they own, store, process, or send on behalf of the customer.
There is also a statement that the document need not contain the complete information of the requirement. In a QSA PCI assessment, they will look for data that will enable them to take your security very seriously and protect the card data you entrust to them or protect the security of your environment.
The service provider’s acknowledgment of liability for card data will be a form of liability acceptance offered to you by the third party. It should be noted that PCI DSS AoC is not a legal contract between you and a third party and has nothing to do with the acceptance of liability.
PCI DSS does not instruct us further on the details of this consent, except that the extent to which the service provider is responsible for cardholder data security depends on the relationship and the service provided.
When you establish a relationship with a new service provider that will interact with your cardholder data, you must include a clause in a contract or agreement. That third party agrees to ensure the cardholder’s security. Those services and things they do for you securely should cover data or actions they perform on your behalf.
Perform due diligence on the service providers to whom you are entrusting your business.
The PCI DSS 12.8.3 requirement is due diligence. It means performing various checks on third-party service providers to ensure that what the service providers say they will or won’t do happens.
Due diligence can be accomplished in a variety of ways, but they all have the same purpose. You may need to ask for proof to get the third-party service provider to state what they have or even to substantiate the claims.
Evaluation is sometimes done by sending a questionnaire, and sometimes a site visit is made to see the physical checks. The third-party service provider evaluation process is usually carried out annually and on new assignments and performed more regularly for more critical missions.
PCI Requirement 12.8.3 requires organizations to ensure an established process for service provider engagement, including appropriate due diligence before the meeting. Due diligence is an essential component of any compliance objective. Still, it is necessary to PCI as the service provider will process cardholder data or affect cardholder data security.
The service provider’s reporting practices, breach notification, incident response procedures, how the service provider has verified PCI DSS compliance, business continuity plan, details of how PCI DSS responsibilities are assigned between each party, and what evidence to provide are all examples of due diligence activities.
Compliance with PCI Requirement 12.8.3 provides a thorough internal review of any interaction or relationship with a service provider. PCI DSS requirement 12.8.3 requires you to create a built-in process involving service providers, including appropriate due diligence, before working.
You should have a policy-driven process that checks to make sure you want to do business with a third party. The issue that PCI DSS wants to apply is to perform a risk analysis on the vendor. The risk analysis should address all areas of PCI, such as whether they comply with PCI DSS requirement 12.8.5 or provide a matrix of responsibility.
You must have a formal program as part of managing your relationship with any vendor. PCI Requirement 12.8.3 dictates that you do your due diligence before contacting these organizations. From an assessment perspective, we’re looking at that you examine these organizations and make sure whatever services they provide to you will be provided in a compliant manner.
PCI DSS doesn’t explicitly state what these requirements are, but you need to make sure you have a relevant due diligence program, and PCI DSS is typically included in these discussions.
The PCI DSS 12.8.3 requirement is very vaguely written, but at its core is that you need to examine your potential service provider. You should have procedural documents that show the processes behind reviewing a service provider.
PCI DSS requirement 12.8.3 specifically includes due diligence to evaluate service providers before they are commissioned.
Service provider evaluation records should be retained for as long as the business relationship or ability to affect cardholder data security continues. While the service provider’s original due diligence records must be kept, a yearly update to demonstrate that the provider is still compliant is also required.
As for what you need to do to examine your potential service provider, in risk analysis, you can look at the reputation and history of the company. It would be best to ask detailed questions about what you are potentially working on with the provider.
The PCI DSS 12.8.3 requirement requires that you use your best and reasonable efforts to ensure that all service providers that will work with information covered by PCI are also PCI compliant and protect the information to the required standards.
The assessment process ensures that any service provider’s involvement is thoroughly reviewed internally by an organization, which should include a risk analysis before establishing a formal relationship with the service provider.
Due diligence processes and objectives will differ for each organization. Examples of matters to consider would include the provider’s reporting practices, breach notification, incident response procedures, how the provider has verified PCI DSS compliance, details of how PCI DSS responsibilities are assigned between each party, and what evidence to provide.
Evaluation of the service provider should include verification that the service provider has an AOC and responsibility matrix or has implemented controls such as:
- Check the background of their personnel before allowing access to Cardholder Data (CHD).
- Personnel must undergo safety awareness training annually.
- Personnel must confirm that they have read and understood the appropriate security policies and procedures.
- Requirements for monitored media movement and disposal or secure erasure of discs should be documented before reuse or disposal.
- There should be a mechanism to return the data of a particular legal entity in case of termination of the parties’ business relationship and means to prevent unauthorized access to this data in the event of a purchase.
- If applicable, physical security requirements should be provided by PCI DSS requirement 9.
If the service provider has its own PCI AOC, all of the above requirements can be considered covered. The responsibility matrix should be reviewed to ensure that none of these requirements are met.
It is also recommended that the business due diligence includes some form of financial stability assessment, even if PCI does not require it. An overall risk assessment that addresses factors such as security incidents discovered in the last 12 months and recent unintentional staff turnover is also worth performing to measure service provider availability.
Evaluate Your Service Providers.
The PCI DSS 12.8.4 requirement requires merchants to have their third-party service providers confirm PCI DSS status at least annually. A PCI DSS compliant third-party service provider that has passed its PCI DSS assessment will have its Attestation of Compliance (AoC). This should be the template provided by the official PCI SSC, and a non-approved certificate should not be accepted.
PCI DSS Requirement 12.8.4 mandates that your company keep track of service providers’ PCI DSS compliance status at least once a year. Your service providers don’t necessarily need to be compliant, but they must perform the services they provide you in a compliant manner.
Implementing this monitoring program and knowing the compliance status of your service providers assures that they are meeting the exact requirements to which your organization is subject.
PCI DSS requirement 12.8.4 stipulates the PCI DSS Statement regarding compliance. The PCI DSS statement regarding compliance monitors the service provider’s compliance as you request, and they provide you with their current AoC. You don’t have to use compliant third-party service providers, but you need to be PCI DSS compliant.
These third-party covered areas of PCI DSS will need to be tested along with testing for your compliance. This means you will need to reach out to that third party and get evidence from them, and your evaluator may wish to speak with the external third party as part of the assessment.
If the third party has an AoC, but it shows a non-compliant result, you should still review the third-party AoC and see if there are any areas where it is not compatible with the services you are using.
You must include the vendor in your QSA assessment test to ensure compliance is maintained in these areas. This may mean a fix by a third-party service provider.
The AOC has a date in it that indicates when the assessment was completed. After one year from this date, the vendor should contact the 3rd party service provider and begin requesting the new AoC once it is delivered.
The vendor may conduct year-round checks as part of service review meetings to ensure the service provider maintains compliance and discuss any concern areas.
Determine which requirements are the responsibility of your service providers.
PCI DSS requirement 12.8.5 is intended to provide information about vendor-responsible needs and service provider-managed requirements.
You can view this as an extension of the contract wording to set limits of liability if the worst happens. Again, this information is usually contained in a spreadsheet and then shared with in-scope service providers to get them to agree on managed requirements.
PCI Requirement 12.8.5 further describes vendor management practices and requires your organization to maintain information about which each service provider manages PCI DSS requirements and which by the organization.
At least once a year, you should maintain a program where you monitor the compliance status of your service providers. Your service providers are not necessarily verified or PCI compliant, but they must perform the services they provide to you in a compliant manner. This can be difficult to understand at times, so you can talk to your evaluator (QSA) about it if you have any questions.
PCI DSS requirement 12.8.5 asks you to create information about which PCI DSS requirements are managed by each service provider and managed by the organization.
To meet the PCI DSS 12.8.5 requirement, you must maintain a list of which requirements are the responsibility of the third party, which requirements are yours, and which requirements are shared between you and the third party.
In most cases, organizations reach out to service providers and request a copy of their AOC. If your service provider can provide you with a copy of their AOC, it is sufficient for eligibility.
If they cannot provide you with an AOC, you may need to assess them or include them as part of our assessment on your behalf. In any case, your evaluator will look for evidence that you should verify or maintain this program around monitoring your service provider compliance.