The PCI DSS was developed to enhance cardholder data security and to facilitate the broad adoption of consistent data security measures globally. The standard applies to all entities that store, process or transmit cardholder data. With 12 requirements across six areas, the standard aims to ensure that organizations have the proper controls and procedures in place to secure cardholder data.
Specific to third-party risk management, Requirement 12: Support Information Security with Organizational Policies and Programs, section 12.8: Risk to information assets associated with third-party service provider (TPSP) relationships is managed, indicates that third-party service providers (TPSPs) are responsible for ensuring that data is protected per the applicable PCI DSS requirements and that they are compliant.
Third parties must show compliance with PCI DSS requirements, and that’s where an internal controls assessment and continuous monitoring is essential – determining the effectiveness of internal data security controls and remediating findings before a damaging third-party data breach impacts the business.
All service providers with access to cardholder data – including shared hosting providers – must adhere to PCI DSS; shared hosting providers must protect each entity’s hosted environment and data. This page focuses specifically on those hosting provider requirements.
Perform due diligence on third-party service provider data security controls and practices
Identify which third-party data security controls and requirements apply
Have appropriate third-party service provider agreements in place to enforce controls
Monitor the compliance of third-party service providers at least annually
Uncover Key TPRM Requirements in PCI DSS
A Checklist for Compliance: PCI DSS 4.0 and Third-Party Service Provider Management examines service provider requirements in PCI DSS v4.0 and offers recommendations for compliance.
Meeting PCI DSS Guidelines
The summary table below maps industry best practices capabilities available in the Prevalent Third-Party Risk Management Platform to select third-party service provider requirements present in PCI DSS v4.0.
NOTE: This table should not be considered definitive guidance. For a full list of requirements, please review the complete PCI Data Security Standard v4.0 in detail and consult your auditor.
PCI DSS v4.0 Third-Party Service Provider Requirements and Testing Procedures | How Prevalent Helps |
---|---|
Requirement 6: Develop and Maintain Secure Systems and Software |
|
6.3 Security vulnerabilities are identified and addressed. |
|
6.3.2 An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software is maintained to facilitate vulnerability and patch management. 6.3.2.a Examine documentation and interview personnel to verify that an inventory of bespoke and custom software and third-party software components incorporated into bespoke and custom software is maintained, and that the inventory is used to identify and address vulnerabilities. 6.3.2.b Examine software documentation, including for bespoke and custom software that integrates third-party software components, and compare it to the inventory to verify that the inventory includes the bespoke and custom software and third-party software components. |
With the Prevalent Platform, you can require vendors to provide updated software bills of materials (SBOMs) for their software products and attach them as evidence or important documentation associated with the vendor. This will help you centralize the management of important artifacts and identify any potential vulnerabilities or licensing issues that may impact your organization’s security and compliance. |
Requirement 12: Support Information Security with Organizational Policies and Programs |
|
12.8 Risk to information assets associated with third-party service provider (TPSP) relationships is managed. |
|
12.8.1 A list of all third-party service providers (TPSPs) with which account data is shared or that could affect the security of account data is maintained, including a description for each of the services provided. 12.8.1.a Examine policies and procedures to verify that processes are defined to maintain a list of TPSPs, including a description for each of the services provided, for all TPSPs with whom account data is shared or that could affect the security of account data. 12.8.1.b Examine documentation to verify that a list of all TPSPs is maintained that includes a Customized Approach Objective description of the services provided. |
Using the Prevalent Platform, you can import third-party service providers into a central management system via a spreadsheet template or through an API connection to an existing procurement or vendor management solution, eliminating error-prone, manual processes. The Platform provides a simple intake form for all stakeholders responsible for managing third parties so that all have input to the centralized third-party profile. This is available to everyone via email invitation, without requiring any training or solution expertise. Build comprehensive third-party service provider profiles that include vendor firmographic details, geographic location, fourth-party technologies in use, and recent operational and financial insights with the Prevalent Platform. Having this accumulated data will enable you to report on and act against technology concentration risk. |
12.8.2 Written agreements with TPSPs are maintained as follows:
12.8.2.a Examine policies and procedures to verify that processes are defined to maintain written agreements with all TPSPs in accordance with all elements specified in this requirement. 12.8.2.b Examine written agreements with TPSPs to verify they are maintained in accordance with all elements as specified in this requirement. |
With Prevalent, you can centralize the distribution, discussion, retention and review of vendor contracts to automate the contract lifecycle and ensure key clauses are enforced. Key capabilities include:
With this capability, you can ensure that clear responsibilities and right-to-audit clauses are articulated in the vendor contract, and SLAs tracked and managed accordingly. |
12.8.3 An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement. 12.8.3.a Examine policies and procedures to verify that processes are defined for engaging TPSPs, including proper due diligence prior to engagement. 12.8.3.b Examine evidence and interview responsible personnel to verify the process for engaging TPSPs includes proper due diligence prior to engagement. |
Start by quantifying inherent risks for all third parties using Prevalent. Criteria used to calculate inherent risk for third-party prioritization includes:
From this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments. Rule-based tiering logic enables vendor categorization using a range of data interaction, financial, regulatory, and reputational considerations |
12.8.4 A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months. 12.8.4.a Examine policies and procedures to verify that processes are defined to monitor TPSPs’ PCI DSS compliance status at least once every 12 months. 12.8.4.b Examine documentation and interview responsible personnel to verify that the PCI DSS compliance status of each TPSP is monitored at least once every 12 months. |
The Prevalent TPRM Platform includes a large library of pre-built templates for third-party risk assessments – including those specifically built around PCI. Assessments can be conducted at the time of supplier onboarding, contract renewal, or at any required frequency (e.g., quarterly, or annually) depending on material changes in the relationship. Assessments are managed centrally and backed by workflow, task management and automated evidence review capabilities to ensure that your team has visibility into third-party risks throughout the relationship lifecycle. As part of this process, the Prevalent Platform continuously tracks and analyzes external threats to third parties. The Platform monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. All monitoring data is correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation, and response initiatives. |
Align Your TPRM Program with ISO, NIST, SOC 2 and More
Download this guide to review specific requirements from 11 different cybersecurity authorities, identify TPRM capabilities that map to each requirement, and uncover best practices for ensuring compliance.
All third-party service providers with access to cardholder data – including shared hosting providers – must...
Benchmark your TPRM program against requirements from 11 cybersecurity authorities.
Understanding how important third parties are to your organization is a foundational element for any business...