Currently, there is no requirement to use a PCI compliant service provider (although the card brands and banks may require you to do so). If you are outsourcing some of your compliance responsibilities to a third-party, you need to understand what this means for your own PCI DSS compliance.
If you use a service provider for something that is in-scope for your compliance, they need to be able to demonstrate that they are providing that service in a compliant manner. This can be done either by:
- Having the service provider provide their current Attestation of Compliance (AoC) (and Responsibility Matrix if they have one) which covers the service they are providing OR
- Including them within the scope of your assessment either at your cost or an agreed shared cost.
If your Service Provider can provide you with an AoC, you need to make sure that you keep a copy of that for your records and for your QSA to review. And make sure that if you’re expecting them to be responsible for a requirement that it is covered within the scope of their AoC. Finally, make sure the Service Provider provides you with an updated AoC annually.
But since our focus is on Service Providers who cannot provide an AoC, let’s look at how that will affect the scope of your assessment.
What Does it Mean to Include Someone in the Scope of Our Assessment?
Put simply, this means that your QSA would expect to be able to review the way that the third-party provides the services to you to ensure that they are meeting your compliance requirements.
This means that your QSA will need to conduct interviews with them, review their system configurations, review their processes, and review their documentation depending on what services they are providing.
What it does not mean is that everything done by the service provider comes into scope. Only the processes and services they provide to you as well as some potential supporting services will be in-scope.
One common example of a service provider without an AoC that we see is data centres and physical hosting. While more data centres are doing PCI compliance (we do strongly recommend checking this as part of your due diligence when signing a contract with them) it provides an easy example of how including someone in your own compliance review works.
If a data centre is included in your assessment and they do not have an AoC, your QSA would visit the data centre, observe visitor logs and CCTV footage, look at access logs (for your racks), physically check to make sure the racks are locked, observe visitor processes, and interview staff about these processes and supporting processes.
While this is just one example, the high-level processes are the same. Your QSA needs to verify that the service is being provided in a way to ensure you can become (or remain) PCI DSS compliant.
Other Considerations
One of the most important things to consider is making sure that your Service Provider is aware of the need for them to provide a compliant service. Review the services you are using and make sure that each Service Provider:
- Is aware of their PCI requirements AND
- Has acknowledged their PCI requirements
Where possible there may be a contractual obligation for the Service Provider to be PCI DSS compliant. Most importantly, doubly ensure that you have a right to audit built in to your contracts so that you’re not leaving things to chance if they aren’t PCI compliant or they fall out of compliance.
Now What?
With a basic understanding of your Service Providers, the next step is to build a responsibility matrix so that you understand which Service Providers are responsible for which PCI DSS requirements. You can find more information on the PCI SSC Third-Party Security Assurance and Shared Responsibilities document on page 43, or Confide can assist you in understanding your service providers and how they affect your PCI compliance.
Need More Help?
If you need more help to understand how your Service Providers could affect your PCI compliance, contact us to find out how Confide can help.
