A Merchant’s Guide to Managing TPSPs and Meeting PCI DSS Requirements
Introduction?
In the ever-evolving landscape of the credit card industry, businesses often rely on third-party service providers (TPSPs) to handle various aspects of their cardholder data environment (CDE). Whether it's storing, processing, or transmitting account data, or managing in-scope system components, the use of TPSPs is becoming increasingly common. However, this reliance on external entities can have significant implications on a customer's CDE security and their ability to meet the Payment Card Industry Data Security Standard (PCI DSS) requirements.? Customers often ask if they are absolved of PCI compliance because of their use of a TPSP for their business system - The answer is no.
?
Understanding the Impact of TPSPs on PCI DSS Compliance
There are numerous scenarios where a customer might engage one or more TPSPs for functions within or related to their CDE. Regardless of the scenario, it is imperative for the customer to manage and oversee the PCI DSS compliance status of all their TPSPs in accordance with Requirement 12.8. This includes TPSPs that:
Managing TPSPs involves performing due diligence, having appropriate agreements in place, identifying applicable requirements for both parties, and monitoring the compliance status of TPSPs at least annually. It is important to note that Requirement 12.8 does not mandate TPSPs to be PCI DSS compliant; it only requires the customer to monitor their compliance status as specified.
?
The Role of TPSPs in Meeting Customers’ PCI DSS Requirements
When a TPSP provides a service that meets a PCI DSS requirement(s) on behalf of the customer, or where that service may impact the security of the customer’s CDE, those requirements are in scope for the customer’s assessment. The compliance of that service will impact the customer’s PCI DSS compliance. For instance, if a TPSP manages network security controls for an entity but does not provide evidence of meeting applicable PCI DSS Requirement 1, those requirements are not considered in place for the customer’s assessment.
It is crucial to understand that using a PCI DSS compliant TPSP does not automatically make a customer PCI DSS compliant, nor does it absolve the customer of their own PCI DSS compliance responsibilities. The customer remains responsible for confirming its own compliance as requested by organizations that manage compliance programs, such as payment brands and acquirers.
?
Clarifying Responsibilities Between TPSP Customers and TPSPs
Both parties should clearly identify and understand the following:
For example, a cloud provider should clearly define which of its IP addresses are scanned as part of its quarterly vulnerability scan process and which IP addresses are their customers’ responsibility to scan.
领英推荐
Per Requirement 12.9.2, TPSPs are required to support their customers’ requests for information about the TPSP’s PCI DSS compliance status related to the services provided to customers, and about which PCI DSS requirements are the responsibility of the TPSP, which are the responsibility of the customer, and any shared responsibilities.
?
Options for TPSPs to Validate PCI DSS Compliance
TPSPs are responsible for demonstrating their PCI DSS compliance as requested by organizations that manage compliance programs. There are two options for TPSPs to validate compliance in this scenario:
If the TPSP undergoes its own PCI DSS assessment, it is expected to provide sufficient evidence to its customers to verify that the scope of the TPSP’s PCI DSS assessment covered the services applicable to the customer, and that the relevant PCI DSS requirements were examined and determined to be in place. If the provider has a PCI DSS Attestation of Compliance (AOC), it is expected that the TPSP provides the AOC to customers upon request. The customer may also request relevant sections of the TPSP’s PCI DSS Report on Compliance (ROC). The ROC may be redacted to protect any confidential information.
If the TPSP does not undergo its own PCI DSS assessment and therefore does not have an AOC, the TPSP is expected to provide specific evidence related to the applicable PCI DSS requirements, so that the customer (or its assessor) is able to confirm the TPSP is meeting those PCI DSS requirements.
?
TPSPs Presence on a Payment Brand List(s) of PCI DSS Compliant Service Providers
For a customer monitoring a TPSP’s compliance status in accordance with Requirement 12.8, the TPSP’s presence on a payment brand’s list of PCI DSS compliant service providers may be sufficient evidence of the TPSP’s compliance status if it is clear from the list that the services applicable to the customer were covered by the TPSP’s PCI DSS assessment. If it is not clear from the list, the customer should obtain other written confirmation that addresses the TPSP’s PCI DSS compliance status.
For a customer looking for evidence of PCI DSS compliance for requirements that a TPSP meets on a customer’s behalf or where the service provided can impact the security of the customer’s CDE, the TPSP’s presence on a payment brand’s list of PCI DSS compliant service providers is not sufficient evidence that the applicable PCI DSS requirements for that TPSP were included in the assessment. If the TPSP has a PCI DSS AOC, it is expected to provide it to customers upon request.
?
Conclusion
Navigating the complexities of PCI DSS compliance while using TPSPs can be challenging. However, with a clear understanding of the responsibilities of both parties, appropriate due diligence, and regular monitoring of compliance status, it is possible to maintain a secure CDE and meet PCI DSS requirements. Remember, the use of a PCI DSS compliant TPSP does not absolve a customer of their own PCI DSS compliance responsibilities. It is crucial for both parties to have a clear understanding of their respective responsibilities and to work collaboratively to ensure the security of cardholder data.
- Chester Ritchie