Cybersecurity is not only a team sport—it’s a multi-team sport. The complexity of cybersecurity as well as resource constraints make it nearly impossible to do business without help from third-parties. Utilizing third-party service providers for PCI DSS compliance offers several significant benefits, such as scope reduction. By outsourcing certain functions involving the handling, processing, or storage of cardholder data to PCI DSS compliant third parties, merchants can effectively reduce the complexity and extent of their own PCI DSS compliance requirements. Scope reduction is advantageous as it narrows down the merchant’s environment that needs to be secured and assessed, decreasing the burden of security audits and lowering costs. Specialized third-party providers often have well-established security infrastructures and expertise in data protection, which can improve your overall security posture.

Outsourcing may allow merchants to focus more resources on core business activities, with less time and money spent on payment security.

It is very important to remember that while third-party service providers can reduce the scope, merchants retain ultimate responsibility for ensuring that their providers are compliant and that the cardholder data is protected throughout the entire transaction process.

Failing to properly manage third-party service providers poses significant cybersecurity risks for any organization. Third-party service providers often have access to or manage sensitive data, systems, or infrastructure. If these service providers are not adequately vetted and monitored for compliance with cybersecurity standards, such as the PCI DSS), HIPAA, and others.

A breach in a third-party service provider’s system can have serious repercussions for a merchant under the PCI DSS framework. As merchants often rely on third-party service providers for processing, storing, or transmitting cardholder data, a compromise in the provider’s security can directly threaten the confidentiality and integrity of sensitive payment information. Such a breach not only exposes the merchant to potential data theft and financial fraud but also to significant compliance risks. Under PCI DSS, merchants are responsible for ensuring that all entities handling their cardholder data maintain compliance.

A breach of a third-party service provider that compromises your data could lead to fines, increased scrutiny in future audits, and reputation damage.

If a service provider is breached due to non-compliance or lax security measures, the merchant can be held accountable for the resulting data loss.

According to its annual study of third-party risk, The Ponemon Institute—a research center dedicated to privacy, data protection, and information security policy—says that most organizations consider themselves at risk for security breaches caused by third parties, and that risk is increasing. The findings of the study are interesting to read and can be found here: The 2022 Data Risk in the Third-Party Ecosystem Study

For PCI DSS compliance, and to ensure the security of your data, review the Attestation of Compliance and the Responsibility Matrix for your third-party service providers at least annually. By carefully examining these documents, merchants can ensure that their third-party service providers are adhering to necessary security standards, thereby safeguarding their customers’ payment card information and maintaining the integrity of their business and your data.

Remember, ultimately, your company may be held responsible for any data breaches, the third-party service providers are handling YOUR data.

For starters, keep a list of your third-party service providers. The list should at least include, the provider contact information (for incident response), a description of the services provided, and which security requirements they are responsible for, plus compliance dates.

Once you get the Attestations of Compliance from your service providers, do not just file it and move on. Here are some suggestions for reviewing the AOCs.
• Look for a description of the services provided. This document should explain what the service provider does to meet your company’s PCI DSS requirements.
• Confirm Service Provider Details: If the AOC is from a service provider, make sure it’s a service provider AOC and not a merchant AOC. If the TPSP fills out an SAQ, it must be SAQ-D.
• Check Service Coverage: The document should list the specific services covered under the PCI DSS assessment. The services you subscribe to from the provider must be stated.
• Review Assessment Dates: PCI DSS compliance is an ongoing process, not a one-time event. The AOC should have recent dates indicating that the assessment is up-to-date.
• Assessor Credentials: The AOC must be completed by a qualified assessor. This could be a Qualified Security Assessor (QSA) or an approved Internal Security Assessor (ISA).
• Examine PCI DSS Requirements Compliance: Each requirement of the PCI DSS should be addressed in the AOC, with a clear indication of whether it is ‘in place” or “not applicable”. Any requirements listed as not applicable should have a specific reason and that reason should be consistent with the services they are providing to your company.
• Signature and Attestation: The document should be duly signed and dated by the service provider and the assessor, attesting to the accuracy of the information. The signature from the service provider should be a person who has the authority and accountability to sign such as CISO, CFO, or Director of Security.

Ideally, TPSPs will also provide a Responsibility Matrix. This document spells out in detail what requirements they are responsible for, what you are responsible for, and which are shared.

• Clarify Responsibilities: The matrix should detail which party is responsible for each aspect of the PCI DSS requirements. This clarity is essential to ensure there are no gaps in compliance.
• Alignment with AOC: Cross-reference the responsibilities in the matrix with the AOC so the information is consistent.
• Comprehensiveness: The matrix should cover all PCI DSS requirements. This includes aspects such as data encryption, access controls, and network security. If any requirements are not applicable, again, there should be a valid reason, and it should be consistent with the service your company is paying for.

In conclusion, the real reason to keep up to date with TPSP documentation is not just to make sure they are compliant, but to understand how the service they provide to your company helps keep your data, and your customer’s data safe.

By: Peter Thornton – Senior Security Consultant – CISSP | HCISPP | ISSMP | PMP | CISA | QSA

Contact us for more information about our cybersecurity solutions.