by Natasja Bolton, Acquirer Support Manager
Business customers engage with all manner of third party service providers to support their business, whether that be IT support providers, data centres, offsite storage providers, hosting providers or payment processors. What is not always understood is that outsourcing a business operation or buying in a service from a third party does not also outsource the responsibility for PCI DSS.
If the third party provider is working on the businesses’ behalf, it remains the businesses responsibility to ensure that their customers’ cardholder data is protected and PCI DSS compliance requirements are fulfilled.
While businesses may understand that they retain that responsibility, they often struggle to understand how the Service Provider impacts on their PCI DSS compliance or to articulate, with regard to PCI DSS compliance, what it is they need their service providers to do for them.
In many cases, the business simply does not know enough to ask the right questions to ensure that all applicable PCI DSS requirements are being met by their service provider.
Service providers often say what appear to be the right words about offering “a PCI DSS compliant service” or that their solution is “PCI DSS compliant” and provide what appears to be evidence of their compliance in the form of a compliance certificate, or a passing ASV scan.
All of which can be sufficient to convince a business that they are fully covered in relation to the Service Provider and PCI DSS compliance, when in reality the ‘compliance’ of the service is dependent on a number of significant caveats, for example; the way it is implemented, or is only relevant for the premium rate service.
We provide the following information as a guide to help you help your customers better understand the role of service providers, outlining:
- The expectations that the PCI DSS has for third party service provider compliance
- The steps a business should take to manage their service providers to ensure that cardholder data is protected and PCI DSS compliance requirements fulfilled
Service provider PCI DSS compliance expectations
Businesses may choose to use a service provider to store, process, or transmit cardholder data on their behalf, to manage system components, or to provide fully outsourced services.
Businesses using service providers retain the responsibility for the protection of cardholder data and fulfilment of the applicable PCI DSS requirements by their service providers.
Applicability of PCI DSS:
“PCI DSS applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data”
Service providers that capture, store, process or transmit cardholder data – even if they don’t actually process the card payment – are entities to whom PCI DSS applies (per the above definition) and should be PCI DSS compliant in their own right, e.g.
- Payment service providers;
- Wholly outsourced ecommerce providers;
- Contact centre providers.
Businesses may also engage service providers that do not store, process or transmit cardholder data but that could impact the security of cardholder data or the security of the merchant’s Cardholder Data Environment (CDE), e.g.
- Hosting provider supporting the physical server equipment and operating systems;
- Data centre provider (host physical equipment only);
- Managed network provider supporting the merchant’s routers and firewalls;
- IT support providers managing the merchant’s PCs and Servers.
Within the scope of PCI DSS, third parties providing services that meet either or both of these definitions are considered service providers, and as such should be validated with and registered as PCI DSS compliant with the card schemes.
It should be noted however that the PCI DSS itself does allow businesses to engage an un-validated service provider but:
- The business must include the services provided by that service provider within the scope of their own assessment
- The business can only attest to their own compliance if they are able to complete their SAQ with supporting evidence of the service provider’s fulfilment of the PCI DSS requirements they are responsible for.
PCI DSS requirement 12.8 requires businesses engaging with service providers to ensure that they acknowledge their responsibility for securing cardholder data captured/processed/transmitted on behalf of the merchant, or to the extent that they could impact the security of cardholder data or the business’s CDE.
Businesses responsibilities for managing service providers
In order to achieve and validate their PCI DSS compliance, merchants must therefore perform a number of actions to manage their service providers:
Identify and maintain a list of all service providers
- Identify all third party service providers that store, process or transmit payment card data on the businesses’ behalf, or that could impact the security of security of cardholder data or the businesses CDE as a result of the services they provide.
- Maintain a list of those service providers.
Set out service provider responsibilities
- Ensure each service provider’s responsibilities with regards to securing cardholder data, managing the businesses’ systems or providing services are clearly defined. That is, not in vague terms but in specifics relating to the PCI DSS Requirements:
- Agree a PCI DSS controls responsibility matrix so that all parties clearly understand their PCI DSS responsibilities, and the responsibilities that remain the businesses’ to fulfil.
- Ensure written agreements with service providers include acknowledgement of those agreed responsibilities: to secure the data and processes they operate in accordance with PCI DSS.
Qualify the service provider’s ability to provide a PCI DSS compliant service
- For all service providers that must be validated as PCI DSS compliant (per the description above) and those that claim to be:
- Obtain each service provider’s Attestation of Compliance (AOC). It should:
- Be either the service provider AOC for Onsite Assessments or the AOC contained within the service provider SAQ D;
- Be in date and hence valid;
- Include the services provided to the merchant and the locations they are operated from.
- The business must ensure that any services provided by a service provider falls within the scope of the PCI DSS compliant services for which the service provider has been validated (Part 2a of the AOC).
- Businesses’ should not accept ASV External Vulnerability Scan Reports or ‘compliance certificates’ as evidence for compliance from service providers (see the PCI SSC FAQ on the topic of compliance certificates).
- If an AOC cannot be supplied, businesses should obtain evidence of the service provider’s compliance with, and their ability to fulfil, the agreed PCI DSS Requirements.
Check Service Provider registration with Card Schemes
As mentioned above, service providers should also be validated with and registered as PCI DSS compliant with the card schemes. The card schemes maintain lists of PCI DSS compliant, registered service providers; listed service providers are those that have fulfilled the card schemes registration criteria.
- Businesses’ should check whether their service providers appears on the card scheme lists.
Visa International, Visa Europe, Mastercard and, to a limited extent, American Express publish lists of registered PCI DSS compliant Level 1 service providers, but only for Level 1 service providers (Level 1: service providers that store, process or transmit over 300,000 Visa or Mastercard transactions per year).
- Mastercard service providers: Level 1 service providers download the current month’s list from the ‘Choose a PCI-Compliant Service Provider’ link
- Visa Global Service Providers (all Visa regions except Europe): Level 1 service providers
- Visa Europe: Registered Member Agents: Third parties that provide services to member banks – Level 1 service providers download the current month’s member agent weblisting PDF
- American Express: American Express categorises and lists only three types of service provider, those providing:
- Payment processing-related services
- Data preparation
- Fraud prevention and control
Visa Europe also maintains a list of Level 2 service providers (Merchant Agents). Registered Merchant Agents are third parties that offer services to merchants – both Level 1 and Level 2 service providers. Note: a service provider can be both a Merchant Agent and a Member Agent.
- Visa Europe: Registered Merchant Agents: download current month’s merchant agent weblisting PDF.
In the Visa Europe region, Acquirers are required to ensure their merchants only use service providers that are registered Visa Europe Merchant Agents
- Merchants should note that if the service provider is listed as ‘Out of Scope’ on the Visa Europe Merchant Agent list, the service provider is not claiming compliance with PCI DSS. The Service Provider cannot fulfil PCI DSS controls on the merchant’s behalf and it remains the merchant’s responsibility to fulfil the PCI DSS requirements when using their services.
Monitor service providers’ PCI DSS compliance status
- On an annual basis merchant should check their service providers’ PCI DSS compliance status:
- Request an up to date and valid AOC
- Confirm the services provided to the merchant are included within the new AOC’s scope
- For those service providers that have not, or are not required to, validate compliance with the PCI DSS, obtain evidence of the service provider’s continued compliance with, and their ability to fulfil, the agreed PCI DSS Requirements.
- Check that service providers have maintained their presence on the card scheme lists of registered service providers.
Engage PCI DSS compliant service providers
- Merchants should perform due diligence before engaging or sharing card data with a new Service Provider.
- Merchants should follow the guidance above prior to engaging a new service provider:
- Qualify the service provider’s ability to provide a PCI DSS compliant service. Confirm their ability to protect cardholder data captured/processed/transmitted on behalf of the merchant or, given to the extent that they could impact the security of cardholder data or the merchant’s CDE, their ability to operate in accordance with the applicable PCI DSS requirement;
- Check whether the service provider has registered with the Card Schemes;
- Agree a PCI DSS controls responsibility matrix;
- Ensure the service provider’s responsibilities are set out in written agreements.
By taking these steps merchants will be fulfilling their responsibility to manage their service providers and maintain awareness of their PCI DSS compliance status. They will have the assurance that their service providers are securing the cardholder data and the processes they manage on their behalf in accordance with PCI DSS.
If you are a merchant that requires technical or PCI DSS help, please click here