As a service provider, your customers are always looking for more information about which requirements they are responsible for and which ones you’re responsible for. Some service providers have provided responsibility matrix documents, others have provided their AoC, others have provided other documents.
But in v4.0, there’s a new requirement which sets out how third party service providers (TPSPs) need to support their customers’ compliance.
12.9.2: TPSPs must provide either:
PCI DSS compliance status information for any service performed on behalf of customers AND
Information about which requirements are the responsibilities of the customer, the TPSP, and which are shared.
An AoC doesn’t always give customers enough detail to be able to know how the responsibilities for each of the requirements split out, so the SSC suggests in their guidance that good practice would be to provide customers with a responsibility matrix that identifies all relevant PCI requirements, and indicates who is responsible for each, including which requirements have shared responsibility.
Need Help Developing a Responsibility Matrix?
Confide can help you document a responsibility matrix that you can provide to your customers. We’ve worked with many service providers and understand how responsibilities might not always be straight forward. Talk to us to see how we can help you.