Meeting PCI DSS Third-Party Service Provider Requirements

PCI DSS Requirements

Please see the list below for a summary of the third-party-related PCI DSS guidance, and best practices for addressing these requirements. For the purposes of this blog (and considering the breadth of the PCI standard) only requirement 12.8 is reviewed.

Please be sure to review the entire PCI DSS standard to determine how each requirement applies to your business.

Requirement 12.8

Risk to information assets associated with third-party service provider (TPSP) relationships is managed.

12.8.1 A list of all third-party service providers (TPSPs) with which account data is shared or that could affect the security of account data is maintained, including a description for each of the services provided.

Build comprehensive third-party service provider profiles that include vendor firmographic details, geographic location, fourth-party technologies in use, and recent operational and financial insights. Start by importing third-party service providers into a central management system via a spreadsheet template or through an API connection to an existing procurement or vendor management solution, eliminating error-prone, manual processes. Then, provide a simple intake form to all stakeholders responsible for managing third parties so that all have input to a centralized third-party profile. This should be available to everyone via email invitation, without requiring any training or solution expertise.

12.8.2 Written agreements with TPSPs are maintained as follows:

• Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE.
• Written agreements include acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity’s CDE.

Centralize the distribution, discussion, retention, and review of vendor contracts to automate the contract lifecycle and ensure key clauses are enforced.

• Centrally track all contracts and contract attributes such as type, key dates, value, reminders, and status – with customized, role-based views
• Use workflow (based on user or contract type) to automate the contract management lifecycle
• Automate reminders and overdue notices to streamline contract reviews
• Centralize contract discussion and comment tracking
• Store contracts and documents with role-based permissions and audit trails of all access
• Enable version control tracking that supports offline contract and document edits
• Leverage role-based permissions that enable allocation of duties, access to contracts, and read/write/ modify access

With this capability, you can ensure clear responsibilities and right-to-audit clauses are articulated in the vendor contract, and SLAs tracked and managed accordingly.

12.8.3 An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement.

Start by quantifying inherent risks for all third parties. Criteria used to calculate inherent risk for third-party prioritization includes:

• Type of content required to validate controls
• Criticality to business performance and operations
• Location(s) and related legal or regulatory considerations
• Level of reliance on fourth parties
• Exposure to operational or client-facing processes
• Interaction with protected data
• Financial status and health
• Reputation

From this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments.

Rule-based tiering logic enables vendor categorization using a range of data interaction, financial, regulatory, and reputational considerations.

12.8.4 A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months.

Look for solutions that feature a large library of pre-built templates for third-party risk assessments – including those specifically built around PCI. Assessments can be conducted at the time of supplier onboarding, contract renewal, or at any required frequency (e.g., quarterly, or annually) depending on material changes in the relationship.

Assessments are managed centrally and backed by workflow, task management, and automated evidence review capabilities to ensure that your team has visibility into third-party risks throughout the relationship lifecycle.

Importantly, include built-in remediation recommendations based on risk assessment results to ensure that your third parties address risks in a timely and satisfactory manner and can provide the appropriate evidence to auditors.

As part of this process, continuously track and analyze external threats to third parties. Monitor the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions, and financial information. All monitoring data should be correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation, and response initiatives.

The Prevalent Difference

The Prevalent Third-Party Risk Management Platform can help organizations address the third-party service provider requirements published in the PCI standard by:

• Providing a central platform to automate the onboarding, inventory, and management of all third-party service providers.
• Building a comprehensive third-party service provider profile for all internal stakeholders that includes continuously updated cyber, business, financial, compliance, and reputational insights.
• Centralizing the distribution, discussion, retention, and review of third-party service provider contracts to ensure that key security requirements are included, agreed upon, and enforced with key performance indicators (KPIs).
• Gauging inherent risk to inform third-party service provider profiling, tiering, and categorization – and determining the appropriate scope and frequency of ongoing due diligence activities.
• Automating risk assessments and remediation across every stage of the third-party service provider lifecycle.
• Continuously tracking and analyzing external threats to third-party service providers by monitoring the Internet and dark web for cyber threats and vulnerabilities.
• Simplifying PCI audit reporting with centralized assessments, monitoring, and evidence management.

For more on how Prevalent can help simplify third-party service provider management under PCI DSS, request a demonstration today.