The PCI Security Standards Council has recently published recommendations for ensuring that payment data and systems entrusted to third parties are maintained in a secure and compliant manner, in accordance with PCI-DSS requirements. The recommendations are available at the following link: https://www.pcisecuritystandards.org/documents/PCI_DSS_V3.0_Third_Party_Security_Assurance.pdf.
A merchant, prior to engaging a supplier that will access its cardholder data environment or that will otherwise process, store or transmit cardholder data on the merchant’s behalf, must consider how that supplier will satisfy PCI-DSS requirements in a manner that will allow the merchant itself to remain PCI-DSS compliant. The Council’s guidance provides merchants with a framework for understanding: (i) how a supplier’s own PCI-DSS compliance folds into the merchant’s PCI-DSS compliance requirements; (ii) how to evaluate a supplier’s level of compliance pre-engagement and allocate compliance responsibilities for applicable PCI-DSS requirements during the engagement; and (iii) options for addressing scenarios when a supplier may not be formally certified as a PCI-compliant service provider or have a ROC that can be provided to the merchant.
The dynamic between merchant and service provider is often one can that spawn unique scenarios and challenging questions, and this new guidance from the Council provides merchants and suppliers with a deeper perspective than was previously available and is a must-read.