The Requirement for Service Provider PCI DSS Compliance

The Requirement for Service Provider PCI DSS Compliance
0 Shares

by Natasja Bolton, Acquirer Support Manager

 


Download your Free eBook

THE REQUIREMENT FOR SERVICE PROVIDER  
PCI DSS COMPLIANCE

Get your ebook now!


 

Business customers engage with all manner of third party service providers to support their business, whether that be IT support providers, data centres, offsite storage providers, hosting providers or payment processors. What is not always understood is that outsourcing a business operation or buying in a service from a third party does not also outsource the responsibility for PCI DSS. 

 

If the third party provider is working on the businesses’ behalf, it remains the businesses responsibility to ensure that their customers’ cardholder data is protected and PCI DSS compliance requirements are fulfilled.

 

While businesses may understand that they retain that responsibility, they often struggle to understand how the Service Provider impacts on their PCI DSS compliance or to articulate, with regard to PCI DSS compliance, what it is they need their service providers to do for them. 

 

In many cases, the business simply does not know enough to ask the right questions to ensure that all applicable PCI DSS requirements are being met by their service provider.

 

Service providers often say what appear to be the right words about offering “a PCI DSS compliant service” or that their solution is “PCI DSS compliant” and provide what appears to be evidence of their compliance in the form of a compliance certificate, or a passing ASV scan. 

 

All of which can be sufficient to convince a business that they are fully covered in relation to the Service Provider and PCI DSS compliance, when in reality the ‘compliance’ of the service is dependent on a number of significant caveats, for example; the way it is implemented, or is only relevant for the premium rate service.

 

We provide the following information as a guide to help you help your customers better understand the role of service providers, outlining:

 

  • The expectations that the PCI DSS has for third party service provider compliance
  • The steps a business should take to manage their service providers to ensure that cardholder data is protected and PCI DSS compliance requirements fulfilled

 

Service provider PCI DSS compliance expectations

Businesses may choose to use a service provider to store, process, or transmit cardholder data on their behalf, to manage system components, or to provide fully outsourced services.

 

Businesses using service providers retain the responsibility for the protection of cardholder data and fulfilment of the applicable PCI DSS requirements by their service providers.

 

Applicability of PCI DSS:

“PCI DSS applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data”

 

Service providers that capture, store, process or transmit cardholder data – even if they don’t actually process the card payment – are entities to whom PCI DSS applies (per the above definition) and should be PCI DSS compliant in their own right, e.g.

 

  • Payment service providers;
  • Wholly outsourced ecommerce providers;
  • Contact centre providers.

 

Businesses may also engage service providers that do not store, process or transmit cardholder data but that could impact the security of cardholder data or the security of the merchant’s Cardholder Data Environment (CDE), e.g.

 

  • Hosting provider supporting the physical server equipment and operating systems;
  • Data centre provider (host physical equipment only);
  • Managed network provider supporting the merchant’s routers and firewalls;
  • IT support providers managing the merchant’s PCs and Servers.

 

Within the scope of PCI DSS, third parties providing services that meet either or both of these definitions are considered service providers, and as such should be validated with and registered as PCI DSS compliant with the card schemes.

 

It should be noted however that the PCI DSS itself does allow businesses to engage an un-validated service provider but:

 

  • The business must include the services provided by that service provider within the scope of their own assessment
  • The business can only attest to their own compliance if they are able to complete their SAQ with supporting evidence of the service provider’s fulfilment of the PCI DSS requirements they are responsible for.

PCI DSS requirement 12.8 requires businesses engaging with service providers to ensure that they acknowledge their responsibility for securing cardholder data captured/processed/transmitted on behalf of the merchant, or to the extent that they could impact the security of cardholder data or the business’s CDE.

 

Webpage URL

Find out more about our PCI DSS compliance services by clicking the button below

LEARN MORE

Businesses responsibilities for managing service providers

In order to achieve and validate their PCI DSS compliance, merchants must therefore perform a number of actions to manage their service providers:

 

Identify and maintain a list of all service providers

  • Identify all third party service providers that store, process or transmit payment card data on the businesses’ behalf, or that could impact the security of security of cardholder data or the businesses CDE as a result of the services they provide.
  • Maintain a list of those service providers.

 

Set out service provider responsibilities

  • Ensure each service provider’s responsibilities with regards to securing cardholder data, managing the businesses’ systems or providing services are clearly defined. That is, not in vague terms but in specifics relating to the PCI DSS Requirements:
  • Agree a PCI DSS controls responsibility matrix so that all parties clearly understand their PCI DSS responsibilities, and the responsibilities that remain the businesses’ to fulfil.
  • Ensure written agreements with service providers include acknowledgement of those agreed responsibilities: to secure the data and processes they operate in accordance with PCI DSS.

 

Qualify the service provider’s ability to provide a PCI DSS compliant service

  • For all service providers that must be validated as PCI DSS compliant (per the description above) and those that claim to be:
  • Obtain each service provider’s Attestation of Compliance (AOC). It should:
  • Be either the service provider AOC for Onsite Assessments or the AOC contained within the service provider SAQ D;
  • Be in date and hence valid;
  • Include the services provided to the merchant and the locations they are operated from.
  • The business must ensure that any services provided by a service provider falls within the scope of the PCI DSS compliant services for which the service provider has been validated (Part 2a of the AOC).
  • Businesses’ should not accept ASV External Vulnerability Scan Reports or ‘compliance certificates’ as evidence for compliance from service providers (see the PCI SSC FAQ on the topic of compliance certificates).
  • If an AOC cannot be supplied, businesses should obtain evidence of the service provider’s compliance with, and their ability to fulfil, the agreed PCI DSS Requirements.

 

Check Service Provider registration with Card Schemes

As mentioned above, service providers should also be validated with and registered as PCI DSS compliant with the card schemes.  The card schemes maintain lists of PCI DSS compliant, registered service providers; listed service providers are those that have fulfilled the card schemes registration criteria.

 

  • Businesses’ should check whether their service providers appears on the card scheme lists.

 

Visa International, Visa Europe, Mastercard and, to a limited extent, American Express publish lists of registered PCI DSS compliant Level 1 service providers, but only for Level 1 service providers (Level 1: service providers that store, process or transmit over 300,000 Visa or Mastercard transactions per year).

 

 

Visa Europe also maintains a list of Level 2 service providers (Merchant Agents). Registered Merchant Agents are third parties that offer services to merchants – both Level 1 and Level 2 service providers.  Note: a service provider can be both a Merchant Agent and a Member Agent.

 

 

In the Visa Europe region, Acquirers are required to ensure their merchants only use service providers that are registered Visa Europe Merchant Agents

 

  • Merchants should note that if the service provider is listed as ‘Out of Scope’ on the Visa Europe Merchant Agent list, the service provider is not claiming compliance with PCI DSS. The Service Provider cannot fulfil PCI DSS controls on the merchant’s behalf and it remains the merchant’s responsibility to fulfil the PCI DSS requirements when using their services.

 

Monitor service providers’ PCI DSS compliance status

  • On an annual basis merchant should check their service providers’ PCI DSS compliance status:
  • Request an up to date and valid AOC
  • Confirm the services provided to the merchant are included within the new AOC’s scope
  • For those service providers that have not, or are not required to, validate compliance with the PCI DSS, obtain evidence of the service provider’s continued compliance with, and their ability to fulfil, the agreed PCI DSS Requirements.
  • Check that service providers have maintained their presence on the card scheme lists of registered service providers.

 

Engage PCI DSS compliant service providers

  • Merchants should perform due diligence before engaging or sharing card data with a new Service Provider.
  • Merchants should follow the guidance above prior to engaging a new service provider:
  • Qualify the service provider’s ability to provide a PCI DSS compliant service. Confirm their ability to protect cardholder data captured/processed/transmitted on behalf of the merchant or, given to the extent that they could impact the security of cardholder data or the merchant’s CDE, their ability to operate in accordance with the applicable PCI DSS requirement;
  • Check whether the service provider has registered with the Card Schemes;
  • Agree a PCI DSS controls responsibility matrix;
  • Ensure the service provider’s responsibilities are set out in written agreements.

 

By taking these steps merchants will be fulfilling their responsibility to manage their service providers and maintain awareness of their PCI DSS compliance status.  They will have the assurance that their service providers are securing the cardholder data and the processes they manage on their behalf in accordance with PCI DSS.

 

Like this Article?

Subscribe to receive more tips & news about Cyber Security, Compliance and a lot more!

  • Sysnet Global Solutions will use the information you provide on this form to be in touch with you regarding non-promotional as well as promotional material by email and phone. If you agree to same, then please select the ‘I consent’ box after reading the terms and conditions listed below in relation to consent. You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, update your preferences for communications, content etc. by clicking on the update my preferences button in any email we send you or by contacting us at marketing@sysnetgs.com We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms. We use Pardot as our marketing automation platform. By clicking below to submit this form, you acknowledge or agree that the information you provide will be transferred to Pardot for processing in accordance with their Privacy Policy and Terms