Achieving PCI compliance with a third-party service provider

If you’re working with a third-party service provider, remember it’s still the responsibility of your organisation to ensure that your customers’ data is handled in compliance with PCI DSS standards.

It’s becoming increasingly common for organisations to work with third-parties to handle and secure their cardholder data. If you’re working with a third-party service provider, it’s important to remember that it’s still the responsibility of your organisation to ensure that your customers’ card data is handled securely and in compliance with PCI DSS standards. So today I’m looking at four things you need to consider when working with third-party providers, to ensure you remain PCI compliant.

1) Perform Due Diligence

Before you start working with a third-party service provider, it’s vital to perform the necessary checks to help you select a provider with the appropriate skills, capabilities and experience for the scope of the services they will be providing. You should first determine the scope of the third-party service provider’s involvement with regards to storing, processing or transmitting cardholder data, and how that relates to your company’s own handling of cardholder data. Once you have a clear understanding of how the service provider will handle cardholder data on your company’s behalf, you should conduct thorough due diligence checks to identify what impact working with that provider will have on your company’s PCI DSS compliance. In addition to normal due diligence checks you would perform against any service provider you work with, you should also check the provider’s PCI compliance status (including copies of their PCI validation documentation).

2) Match up the Service with PCI Requirements

It’s vital that you understand how the services provided by this third-party correlate with the PCI DSS requirements. This will help you to evaluate the potential security impact and implications of using third-party service providers to handle cardholder data on your behalf. This will enable you to work out which if the PCI DSS requirements will apply to, and be met by, the service provider, and which will apply to and be met by your company. However, it’s worth noting that ultimately, responsibility for PCI DSS compliance lies with you – regardless of your agreement with the third-party service provider. If they are your customers, their data is your responsibility.

3) Put it in Writing

As with any company you partner with, it’s vital that you put your agreements, policies and procedures in writing. This should be done in the same way that you would put together agreements with other service providers. Detailed written agreements will help to promote consistency and mutual understanding between your organisation and your third-party service provider, concerning your respective responsibilities and obligations when it comes to meeting PCI DSS compliance requirements. It is also worth noting that maintaining a written agreement with your third-party service provider is necessary in order to comply with PCI requirement 12.8.

4) Monitor Your Third-Party Service Provider’s Compliance Status

Maintaining PCI compliance and securing your customers’ cardholder data is ultimately your responsibility. Knowing your third-party service provider’s compliance status will provide you with assurance that they comply with PCI requirements for the services they provide – and monitoring their compliance status is another requirement for PCI 12.8 and as such is essential in order to achieve compliance yourself. Therefore, if there are any changes in PCI DSS requirements it is up to you to check with your third-party provider that they have updated their service offering to reflect this, and to ensure they remain compliant in light of this change.

Get Switched on

Subscribe to our newsletter to keep ahead in the industry, and be the first to access new reports and white papers.