Originally developed in 2004 and now on version 4.0, the Payment Card Industry Data Security Standard (PCI DSS) aims to enhance cardholder data security and facilitate the broad adoption of consistent data security measures worldwide. The standard applies to all entities that store, process, or transmit cardholder data. With 12 requirements across six areas, the standard is designed to ensure that organizations have the proper controls and procedures in place to secure cardholder data.
Specific to third-party risk management, Requirement 12: Support Information Security with Organizational Policies and Programs, section 12.8: Risk to information assets associated with third-party service provider (TPSP) relationships is managed, indicates that third-party service providers (TPSPs) are responsible for ensuring that data is protected per the applicable PCI DSS requirements and that they are compliant. PCI defines third-party service providers as those entities to which organizations have outsourced::
Third-Party Service Provider Requirements in PCI DSS v4.0
The PCI standard requires organizations to manage their third-party service providers (TPSPs), including:
It is important to note that TPSPs are responsible for demonstrating their PCI DSS compliance as requested by organizations. The standard says that there are two (2) primary ways to validate compliance, including:
Bottom line: The underlying requirements for third-party service provider management include assessing and continuously monitoring TPSPs.
While PCI DSS does not have legal authority, and compliance does not ensure against data breaches, it is mandatory for any business processing credit or debit card transactions.
Uncover Key TPRM Requirements in PCI DSS
A Checklist for Compliance: PCI DSS 4.0 and Third-Party Service Provider Management examines service provider requirements in PCI DSS v4.0 and offers recommendations for compliance.
Please see the list below for a summary of the third-party-related PCI DSS guidance, and best practices for addressing these requirements. For the purposes of this blog (and considering the breadth of the PCI standard) only requirement 12.8 is reviewed.
Please be sure to review the entire PCI DSS standard to determine how each requirement applies to your business.
Risk to information assets associated with third-party service provider (TPSP) relationships is managed.
12.8.1 A list of all third-party service providers (TPSPs) with which account data is shared or that could affect the security of account data is maintained, including a description for each of the services provided.
Build comprehensive third-party service provider profiles that include vendor firmographic details, geographic location, fourth-party technologies in use, and recent operational and financial insights. Start by importing third-party service providers into a central management system via a spreadsheet template or through an API connection to an existing procurement or vendor management solution, eliminating error-prone, manual processes. Then, provide a simple intake form to all stakeholders responsible for managing third parties so that all have input to a centralized third-party profile. This should be available to everyone via email invitation, without requiring any training or solution expertise.
12.8.2 Written agreements with TPSPs are maintained as follows:
Centralize the distribution, discussion, retention, and review of vendor contracts to automate the contract lifecycle and ensure key clauses are enforced.
With this capability, you can ensure clear responsibilities and right-to-audit clauses are articulated in the vendor contract, and SLAs tracked and managed accordingly.
12.8.3 An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement.
Start by quantifying inherent risks for all third parties. Criteria used to calculate inherent risk for third-party prioritization includes:
From this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments.
Rule-based tiering logic enables vendor categorization using a range of data interaction, financial, regulatory, and reputational considerations.
12.8.4 A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months.
Look for solutions that feature a large library of pre-built templates for third-party risk assessments – including those specifically built around PCI. Assessments can be conducted at the time of supplier onboarding, contract renewal, or at any required frequency (e.g., quarterly, or annually) depending on material changes in the relationship.
Assessments are managed centrally and backed by workflow, task management, and automated evidence review capabilities to ensure that your team has visibility into third-party risks throughout the relationship lifecycle.
Importantly, include built-in remediation recommendations based on risk assessment results to ensure that your third parties address risks in a timely and satisfactory manner and can provide the appropriate evidence to auditors.
As part of this process, continuously track and analyze external threats to third parties. Monitor the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions, and financial information. All monitoring data should be correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation, and response initiatives.
The Prevalent Third-Party Risk Management Platform can help organizations address the third-party service provider requirements published in the PCI standard by:
For more on how Prevalent can help simplify third-party service provider management under PCI DSS, request a demonstration today.
Uncover key changes in the Standard Information Gathering (SIG) Questionnaire for 2025 and learn what these...
12/16/2024
Leverage these best practices to address NIS2 third-party risk management requirements.
12/03/2024
Ask your vendors and suppliers about their cybersecurity risk management, governance, and incident disclosure processes to...
10/24/2024