Understanding Compliance Responsibilities
PCI Requirement 12.8.2 focuses on relationships with service providers and asks organizations to maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment. Service providers could have a significant impact on your cardholder data, so compliance with this requirement is vital to securing it.
This acknowledgement provides evidence of the service provider’s commitment to maintaining proper security of cardholder data that it obtains from its clients. PCI Requirement 12.8.2 functions with Requirement 12.9 to promote a consistent level of understanding between parties about their compliance responsibilities. The PCI DSS doesn’t give us much instruction on the details of this acknowledgement, other than that the extent to which the service provider is responsible for the security of cardholder data will depend on the relationship and the service being provided. The guidance also states, “The exact wording of an acknowledgement will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party.”
When you establish a relationship with a new service provider that would interact with your cardholder data, you’re going to want to include a contract, or some type of language within a contract, where this third party agrees to maintain the security of the cardholder data or of those actions that they’re performing on your behalf such to the extent for those services and those things that they’re doing for you in a secure way.
Back in PCI Requirement 12.8.1, you’re asked to provide a list of service providers. What we do, from an assessment perspective, is we will typically sample that service provider list and ask for the contracts for those individuals. We will read those contracts looking for that specific language. There are situations where if that language does not exist, compensating controls can be developed. However, once again, it gets to be a pretty difficult conversation around how we’re going to meet these compliance objectives when you don’t have that language there.