PCI Watch

Tracking changes across the Payment Card Industry
FAQs » FAQ #1312 » Versions » Diff

FAQ #1312 Diff

If an entity uses a service provider that is not PCI DSS compliant, how does this impact the entity?s compliance?

Earlier Version
Later Version
Removed
Added
EachWhen an entity (the TPSP customer) uses one or more TPSPs for functions within or related to the customer's cardholder data environment, it will impact the customer's PCI DSS compliance, specifically with PCI DSS Requirement 12.8 and with any PCI DSS requirements the TPSP is meeting on the customer's behalf.
In all scenarios where a TPSP is used, the customer must manage and oversee all their TPSP relationships and monitor the PCI DSS compliance status of their TPSPs in accordance with Requirement 12.8. This includes performing due diligence, having appropriate agreements in place, identifying which requirements apply to the customer and which apply to the TPSP, and monitoring the compliance status of TPSPs at least annually. Requirement 12.8 does not specify that the customer's TPSPs must be PCI DSS compliant, only that the customer monitors their compliance status as specified in the requirement. Therefore, TPSPs do not need to be validated as PCI DSS compliant for the customer to meet Requirement 12.8.
However, if a TPSP provides a service that meets a PCI DSS requirement(s) on behalf of the customer, then those requirements are in scope for the customer's assessment and the TPSP's compliance of that service will impact the customer's compliance. For example, if a customer engages a TPSP to manage their network security controls, and the TPSP does not provide evidence that it meets the applicable PCI DSS requirements in PCI DSS Requirement 1, then those requirements are not in place for the customer's assessment. As another example, TPSPs that store cardholder data on behalf of customers need to meet the applicable requirements related to access controls, physical security etc., for their customers to consider those requirements in place for their assessments.
Whether a TPSP is required to undergo a PCI DSS assessment is determined by organizations that manage compliance programs (for example, an acquirer, payment brand may havebrand, or another entity). Entities should contact the organization that manages their owncompliance program directly to understand the requirements for using compliant service providers. Entities shouldTPSPs. Contact details for the payment brands can be found in FAQ #1142: How do I contact their acquirer (merchant bank) or the payment brands directly to understand any requirements they have. Whether a service providercard brands?
Refer to FAQ 1576: What evidence is required to validate PCI DSS compliance is determined by the individual payment brands.

There are many different scenarios where an entity, such as a merchant, may share cardholder data (CHD) or outsource elements of their cardholder data environment (CDE) to a service provider. In all scenarios, the entity must manage their service providers in accordance with Requirement 12.8. This includes performing due diligence, having appropriate agreements in place, identifying which requirements apply to the entity and which apply to the service provider, and monitoring the compliance status of service providers at least annually. Requirement 12.8 does not specify that the entity?s service providers must be compliant, only that the entity monitor their compliance status. Service providers do not need to be validated as PCI DSS compliant in order for the entity to meet Requirement 12.8.

If, however, a service provider provides a service that is in scope for the entity?s PCI DSS requirements, then the compliance of that service will impact the entity?s compliance. For example; if an entity engages a service provider to manage their firewalls, and the service provider is not meeting the applicable requirements in PCI DSS Requirement 1, then those requirements are not in place for the merchant?s compliance. As another example, service providers that store cardholder data on behalf of other entities would need to meet the applicable requirements related to access controls, physical security etc., in order for theira TPSP expected to provide to customers to consider those requirements in place.

A service provider may be able to demonstrate that they?ve met the applicable requirements without undergoing a formal compliance validation. Refer to the ?Use of Third-Party Service Providers / Outsourcing? section in PCI DSS v3 for guidance on how service providers may provide evidence of their compliance to their customers.PCI DSS compliance?

Disclaimer: This FAQ has been processed for display on this website and may contain errors. Please check the original FAQ on the PCI SSC website for the authoritative version.