PCI Requirement 12.8.4 and 12.8.5 – Maintain a Program to Monitor Service Providers’ PCI DSS Compliance Status

by Randy Bartels / April 5, 2023

 Service Provider Compliance PCI Requirement 12.8.4 requires that your organization maintain a program to monitor service providers’ PCI DSS compliance status at least annually. Your service providers don’t necessarily need to be compliant, but they need to perform the services that they’re providing to you in a compliant way. Implementing this monitoring program and knowing your service providers’ compliance status provides assurance about whether they comply with the same…

PCI Requirement 12.8.3 – Ensure there is an Established Process for Engaging Service Providers

by Randy Bartels / April 5, 2023

 Due Diligence with Vendor Relationships PCI Requirement 12.8.3 asks organizations to ensure there is an established process for engaging service providers including proper due diligence prior to engagement. Due diligence is a key component of any compliance objective, but it’s especially important in PCI because the service provider will be handling cardholder data or could impact the security of cardholder data. Due diligence efforts may include examining the service…

PCI Requirement 12.8.2 – Maintain a Written Agreement that Includes an Acknowledgement that the Service Providers are Responsible for the Security of Cardholder Data

by Randy Bartels / April 5, 2023

 Understanding Compliance Responsibilities PCI Requirement 12.8.2 focuses on relationships with service providers and asks organizations to maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. Service providers…

PCI Requirement 12.8 & 12.8.1 – Maintain and Implement Policies and Procedures to Manage Service Providers with whom Cardholder Data is Shared

by Randy Bartels / April 5, 2023

 Service Providers with Access to Cardholder Data No organization can do everything themselves. Back-up tape storage facilities, web-hosting companies, security service providers – most organizations have some type of relationship with a third-party or vendor. That’s why PCI Requirement 12.8 focuses on vendor management and asks organizations to maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the…

PCI Requirement 12.7 – Screen Potential Personnel Prior to Hire

by Randy Bartels / April 5, 2023

Screening Candidates PCI Requirement 12.7 impacts your human resources department and hiring process. We've focused so much on external risks, but PCI Requirement 12.7 asks organizations to screen potential personnel prior to hire to minimize the risk of attacks from internal sources. Background checks could include previous employment history, criminal record, credit history, and reference checks. Background checks are a common aspect of hiring processes, but it’s a requirement of…