Service Providers with Access to Cardholder Data
No organization can do everything themselves. Back-up tape storage facilities, web-hosting companies, security service providers – most organizations have some type of relationship with a third-party or vendor. That’s why PCI Requirement 12.8 focuses on vendor management and asks organizations to maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data.
PCI Requirement 12.8.1 specifically asks that you maintain a list of service providers including a description of the service provided. This will help to identify where potential risk extends to outside of your organization.
To verify compliance with PCI Requirement 12.8 and 12.8.1, an assessor will observe and review policies and procedures, as well as your list of service providers with access to cardholder data.
It’s unlikely that any organization within this industry can do everything by themselves. We find that most organizations have service providers that help them to manage some aspect of their environment or perform some type of activity on behalf of them.
Wherever you have service providers within your environment, PCI Requirement 12.8.1 requires that you have a program established in order to maintain, or at least to manage, the ongoing compliance of these organizations that would interact with cardholder data on your behalf. In order to maintain this vendor management program of your service providers, you need to maintain a list of all of those organizations that you might have that would be considered service providers—those individuals or organizations that would interact with cardholder data on your behalf. Your assessor is going to be asking for this list.