Due Diligence with Vendor Relationships
PCI Requirement 12.8.3 asks organizations to ensure there is an established process for engaging service providers including proper due diligence prior to engagement. Due diligence is a key component of any compliance objective, but it’s especially important in PCI because the service provider will be handling cardholder data or could impact the security of cardholder data.
Due diligence efforts may include examining the service provider’s reporting practices, breach notification and incident response procedures, business continuity plan, details of how PCI DSS responsibilities are assigned between each party, how the provider validates their PCI DSS compliance and what evidence they will provide, etc. Compliance with PCI Requirement 12.8.3 ensures that any engagement or relationship with a service provider is thoroughly vetted internally.
You have to have a formalized program as part of managing your relationship with any vendors. PCI Requirement 12.8.3 calls out that you have due diligence that you do prior to engaging these entities.
What we look for, from an assessment perspective, is that you’re vetting these organizations and making sure that whatever services that they’re going to be providing for you, that it’s going to be provided in a compliant way. The PCI DSS does not necessarily call out what those requirements are, so from an assessment perspective, we don’t really get too in-depth, and we really don’t dig into what those particular things are that you’re doing as part of due diligence. However, we do look to make sure that you do have a due diligence program involved and that PCI DSS is typically pulled into those conversations.