Why You Need a Responsibility Matrix
One of the worst things you can hear during your PCI assessment (aside from maybe finding out that you’re storing unprotected cardholder data) is when your service provider says “that’s not my responsibility”. Suddenly you find yourself pushing your service provider to do things that are not in their contract, facing unforeseen costs, and potentially even having to work through an extended remediation period where you aren’t PCI DSS compliant.
Every single Self Assessment Questionnaire (SAQ) and Report on Compliance (ROC) has requirements for how you need to manage your service providers. A big part of this is making sure that you understand:
- Which requirements you are responsible for
- Which requirements your TPSP is responsible for
- Which requirements you and your TPSP share responsibility for
In v3.2.1 you might have expected to see information about which requirements were met by your service provider in the Attestation of Compliance (AOC). If you were lucky, your service provider provided you with a responsibility matrix alongside their AOC.
But in Version 4.0 of PCI DSS, the AOC is changing. You won’t be able to see which specific requirements were excluded from your service provider’s scope – you’ll only be able to tell if a high level (1-12) requirement was fully or partially in place.
However, service providers who are assessing against v4.0 are now required to provide you with information about:
- The PCI compliance status for any service performed on behalf of customers – this helps you meet Req. 12.8.4
- Information about which requirements are the TPSP’s responsibility, which are the responsibility of the customer, and which are shared – helping you meet your 12.8.5 requirements.
So if your service provider gives you a v4.0 AOC but no information about responsibilities, make sure you request the document they use to meet their 12.9.2 requirements.
Read more about how responsibility matrixes can make your PCI DSS compliance easier and help your QSA understand your real scope of requirements.