Service Provider Compliance

PCI Requirement 12.8.4 requires that your organization maintain a program to monitor service providers’ PCI DSS compliance status at least annually. Your service providers don’t necessarily need to be compliant, but they need to perform the services that they’re providing to you in a compliant way. Implementing this monitoring program and knowing your service providers’ compliance status provides assurance about whether they comply with the same requirements that your organization is subject to.

PCI Requirement 12.8.5 further details vendor management practices and requires that your organization maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.

At least annually, you’re required to maintain a program where you’re monitoring your service providers’ compliance status. Understand that your service providers don’t necessarily need to be validated or compliant, but they need to be performing the services that they’re providing to you in a compliant way. This might be hard to understand, so I would recommend getting a hold of your assessor about this if you have any questions.

What we see in most cases is organizations that reach out to their service provider and ask them for a copy of their AOC. If your service provider can provide you with a copy of their AOC, you’re good for the next year. If they cannot provide you with an AOC, there might be a need for you to actually assess them or include them as part of your assessment that we perform on your behalf. In any event, your assessor is going to be looking for the evidence that you have to validate or to maintain this program around monitoring your service provider compliance.

Due Diligence with Vendor Relationships

PCI Requirement 12.8.3 asks organizations to ensure there is an established process for engaging service providers including proper due diligence prior to engagement. Due diligence is a key component of any compliance objective, but it’s especially important in PCI because the service provider will be handling cardholder data or could impact the security of cardholder data.

Due diligence efforts may include examining the service provider’s reporting practices, breach notification and incident response procedures, business continuity plan, details of how PCI DSS responsibilities are assigned between each party, how the provider validates their PCI DSS compliance and what evidence they will provide, etc. Compliance with PCI Requirement 12.8.3 ensures that any engagement or relationship with a service provider is thoroughly vetted internally.

You have to have a formalized program as part of managing your relationship with any vendors. PCI Requirement 12.8.3 calls out that you have due diligence that you do prior to engaging these entities.

What we look for, from an assessment perspective, is that you’re vetting these organizations and making sure that whatever services that they’re going to be providing for you, that it’s going to be provided in a compliant way. The PCI DSS does not necessarily call out what those requirements are, so from an assessment perspective, we don’t really get too in-depth, and we really don’t dig into what those particular things are that you’re doing as part of due diligence. However, we do look to make sure that you do have a due diligence program involved and that PCI DSS is typically pulled into those conversations.

Understanding Compliance Responsibilities

PCI Requirement 12.8.2 focuses on relationships with service providers and asks organizations to maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. Service providers could have a significant impact on your cardholder data, so compliance with this requirement is vital to securing it.

This acknowledgement provides evidence of the service provider’s commitment to maintaining proper security of cardholder data that it obtains from its clients. PCI Requirement 12.8.2 functions with Requirement 12.9 to promote a consistent level of understanding between parties about their compliance responsibilities. The PCI DSS doesn’t give us much instruction on the details of this acknowledgement, other than that the extent to which the service provider is responsible for the security of cardholder data will depend on the relationship and the service being provided. The guidance also states, “The exact wording of an acknowledgement will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party.”

When you establish a relationship with a new service provider that would interact with your cardholder data, you’re going to want to include a contract, or some type of language within a contract, where this third party agrees to maintain the security of the cardholder data or of those actions that they’re performing on your behalf such to the extent for those services and those things that they’re doing for you in a secure way.

Back in PCI Requirement 12.8.1, you’re asked to provide a list of service providers. What we do, from an assessment perspective, is we will typically sample that service provider list and ask for the contracts for those individuals. We will read those contracts looking for that specific language. There are situations where if that language does not exist, compensating controls can be developed. However, once again, it gets to be a pretty difficult conversation around how we’re going to meet these compliance objectives when you don’t have that language there.

Service Providers with Access to Cardholder Data

No organization can do everything themselves. Back-up tape storage facilities, web-hosting companies, security service providers – most organizations have some type of relationship with a third-party or vendor. That’s why PCI Requirement 12.8 focuses on vendor management and asks organizations to maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data.

PCI Requirement 12.8.1 specifically asks that you maintain a list of service providers including a description of the service provided. This will help to identify where potential risk extends to outside of your organization.

To verify compliance with PCI Requirement 12.8 and 12.8.1, an assessor will observe and review policies and procedures, as well as your list of service providers with access to cardholder data.

It’s unlikely that any organization within this industry can do everything by themselves. We find that most organizations have service providers that help them to manage some aspect of their environment or perform some type of activity on behalf of them.

Wherever you have service providers within your environment, PCI Requirement 12.8.1 requires that you have a program established in order to maintain, or at least to manage, the ongoing compliance of these organizations that would interact with cardholder data on your behalf. In order to maintain this vendor management program of your service providers, you need to maintain a list of all of those organizations that you might have that would be considered service providers—those individuals or organizations that would interact with cardholder data on your behalf. Your assessor is going to be asking for this list.

Screening Candidates

PCI Requirement 12.7 impacts your human resources department and hiring process. We’ve focused so much on external risks, but PCI Requirement 12.7 asks organizations to screen potential personnel prior to hire to minimize the risk of attacks from internal sources. Background checks could include previous employment history, criminal record, credit history, and reference checks.

Background checks are a common aspect of hiring processes, but it’s a requirement of the PCI DSS because personnel will be handling cardholder data. You want to be sure that whoever is handling cardholder data isn’t going to do so in a malicious or careless way. What if you hired someone who had a criminal record, and they ended up using PANs in an unauthorized way? Screening potential personnel is a way to prevent situations like this from occurring and reducing risk to your cardholder data.

In PCI Requirement 12.7, the assessor is going to want to spend a little bit of time with your HR individuals. We’re required from the PCI DSS perspective to perform some type of background check on the individuals that you would be hiring. This is required for all individuals; it’s really only required for those individuals that might have access to more than one piece of cardholder data at a time. Your assessor is going to look for evidence that the background checks have taken place. We’re not really so much concerned about what the merits of the background check are – we just want to verify that the background check has taken place.