PCI Requirement 12.9 – Additional Requirement for Service Providers Only: Service Providers Acknowledge in Writing to Customers That They are Responsible for the Security of Cardholder Data

by Randy Bartels / July 3rd, 2018

Service Provider Responsibilities

If you are a service provider, you must comply with PCI Requirement 12.9, which states, “Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.” PCI Requirement 12.9 functions in conjunction with PCI Requirement 12.8.2 to promote a consistent level of understanding between service providers and their customers about their applicable PCI compliance responsibilities.

The PCI DSS explains, “The service provider’s internal policies and procedures related to their customer engagement process and any templates used for written agreements should include a provision of an applicable PCI DSS acknowledgement to their customers. The method by which the service provider provides written acknowledgment should be agreed between the provider and their customers.”

PCI Requirement 12.9 is another one of those requirements for those organizations that are deemed as a service provider. What PCI Requirement 12.9 says is that if you are a service provider, you need to maintain some type of template or contractual language so that when your customers come to you and ask you for an agreement, you have something that says you are going to maintain all of the appropriate controls securely and that you can provide that to them.

What we found in the industry is that a lot of merchants and organizations who use service providers would go to their service providers and ask for this contract language and those service providers would not be able to provide that to them. If the organization that you work with is going to play within this PCI DSS space, it’s required that they provide you with that contractual language, or at least that language denotes that they’re going to be doing things in a compliant way.