PCI DSS compliance is mandatory for all entities processing cardholder data, including your third-party vendors. Security reports provide a window into a vendor’s information security program, uncovering their security controls strategy and its alignment with regulations like the PCI DSS. In many cases, businesses may choose to become PCI-certified to prove their compliance with PCI DSS requirements.
The following template will give you a high-level understanding of each vendor’s degree of compliance with PCI DSS and uncover potential compliance gaps requiring deeper investigation.
To get the most value from this post, be sure to download the accompanying editable template.
26 Vendor Questions for Evaluating PCI DSS Compliance in 2023
These questions will help you evaluate how each vendor's risk profile impacts your alignment with the standards of PCI DSS. To learn how these questions map to the requirements of the latest version of PCI DSS (version 4), refer to this guide on complying with PCI DSS 4.0.
Qualifying question: Specify the category of the payment service you offer.
Vendor to choose an option from the list below.
- Payment Application Vendor - Offer and provide assistance for applications that manage, handle, or transfer data related to cardholders.
- Payment Terminal Vendors / Payment Solution Vendors - Offer and provide assistance for devices or solutions, such as payment terminals or encryption solutions, that are utilized for accepting card payments.
- Payment Processors / E-commerce Payment Service Providers / Payment Gateways / Contact Centers - Handle, manage, or transfer cardholder data on your behalf.
- E-commerce Hosting Providers - Provide hosting and management services for your e-commerce server/website and develop and support your website.
- Providers of Software as a Service / Cloud-Based Hosting Provider - Offer services to develop, host, and/or manage your web application or payment application (e.g., online ticketing or booking application) in the cloud.
- Integrators / Resellers - Set up and configure merchant payment systems.
Learn how to choose security questionnaire automation software >
Note: The PCI Data Security Standard only applies to the bottom four category points in this list. Payment application vendors must comply with the Payment Application Data Security Standard (PA-DSS). The PIN Transaction Security (PTS) and PCI Point-to-Point Encryption standards apply to payment terminal vendors/payment solution vendors.
Question 1: Does the solution/product you offer securely collect and transmit payment card information?
- Yes
- No
- Vendor to support their answer with more details.
Download this template as an editable PDF.
Download PDF >
Internal note:
For card-not-present providers, including e-commerce and telephone order providers, you can check whether the following credit card brands include them in their list of compliant service providers.
Question 2: Do you store payment card information within my systems, such as in my physical store/shop locations, web application, or e-commerce website?
- Yes
- No
- Vendor to support their answer with more details.
Question 3: If you answered “yes” to question 2, explain how your product/service protects this data.
- Vendor to provide a detailed response.
Question 4: Does your product/service utilize robust encryption to ensure payment card data security during transmission?
- Yes
- No
- Vendor to support their answer with more details.
Internal note:
- For payment terminals & integrated payment terminals - You can check if the vendor is known for using a point-to-point encryption solution by referencing this directory.
Learn how to prepare for a PCI DSS audit >
Question 5: Do you use a secure version of Transport Layer Security (TLS) to ensure the security of transmitted payment card data?
- Yes
- No
- Vendor to support their answer with more details.
Internal note:
This question only applies to hosted e-commerce websites, web applications, or payment applications.
Question 6: Does your solution need to be integrated with any of my other systems or data centers?
- Yes
- No
- Vendor to support their answer with more details.
Internal note:
Some examples of relevant information systems/sectors the third-party solution might require integration with include:
- Payment terminals.
- Accounts receivable.
- Any systems/accounts with access to cardholder data.
Ideally, the vendor solution is standalone or requires few connections with other internal systems. Such segmented solutions are easier to secure and protect from compromise if a network is breached.
If the vendor does require integrations with your other systems, you will need to evaluate whether they provide greater value than the impact of their security risks on your security posture. This is best achieved by comparing their risk exposure against your risk appetite.
Learn how to calculate your risk appetite >
Question 7: Do you need to install a payment application or system in my IT environment?
- Yes
- No (skip to question 11)
- Vendor to support their answer with more details.
Question 8: If an installation is required, will you perform the installation?
- Yes
- No
- Vendor to support their answer with more details.
Question 9: If you answered “yes” to question 7, are you a PCI Qualified Integrator or Reseller?
- Yes
- No
- Vendor to support their answer with more details.
Find out if you need to hire a professional to become PCI DSS compliant >
Question 10: If you answered “no” to question 7, is my security team expected to install it?
- Yes
- No
- Vendor to support their answer with more details.
Internal note:
The process of installing any third-party payment processor applications in your systems shouldn’t just fall on your shoulders. If the vendor’s application(s) isn’t installed correctly, it could put you at a heightened risk of a PCI DSS violation or a data breach due to a misconfiguration.
Ideally, the vendor should install the application themselves in a compliant manner by exercising their expertise as a PCI Qualified Integrator (QIR). Short of this, the vendor should supply your security teams with an implementation guide that meets the following requirements at the very least. These points are queried in questions 10 to 15 below.
- Details about how to replace default systems passwords with complex ones.
- Details about managing security patches and updates.
- A delineation of any remote-access software that will be used to access your business.
- Information about your role during such remote connections.
Question 11: Will you offer assistance during the installation or setup process of the product/solution for changing all default passwords?
- Yes
- No
- Vendor to support their answer with more details.
Question 12: What assistance and guidance will you offer my business throughout the patching/updating process?
- Vendor to provide a detailed response.
Question 13: Are patches and updates automatically provided and installed?
- Yes
- No
- Vendor to support their answer with more details.
Question 14: Am I required to acquire and install those patches/updates myself?
- Yes
- No
- Vendor to support their answer with more details.
Question 15: How will you notify me when patches/updates are available or have been automatically implemented?
- Yes
- No
- Vendor to provide more details.
Internal note:
Without a system for regularly checking for and implementing security patches, the third-party solution will be vulnerable to data breaches, which increases your risk of suffering a costly PCI DSS non-compliance violation. Ideally, the third-party vendor should notify your security teams when a new security patch is available and offer guidance for the installation process.
To ensure the vendor is entirely aware of your due diligence expectations, include details of your notification expectations in their contract.
Question 16: Do you assume the responsibility of patching/updating your solution?
- Yes
- No
- Vendor to support their answer with more details.
Internal note:
This question is most relevant to hosted e-commerce websites, web applications, or payment applications.
Question 17: Will you, at any time, require remote access to business to offer support for your product/service?
- Yes
- No
- Vendor to support their answer with more details.
Internal note:
Any form of third-party remote connection is a potential attack vector that, if exploited, could result in a data breach. As such, these events should be regarded as critical cybersecurity risks that are prioritized in monitoring efforts.
Ideally, all remote third-party connections should be denied; the risk of malicious interception is far too significant. However, when remote access is required for product support, these sessions can take place in a manner that’s both PCI compliant and less susceptible to exploitation if the following PCI DSS requirements are met:
- Remote sessions are limited to the shortest period required to complete a support task.
- Remote access is completely disabled when not in use.
- Multi-Factor Authentication is used to verify the identities of all users from the third-party company attempting a remote connection.
- Regularly update usernames and passwords for remote connection sessions.
Question 18: Will your product be running from your systems that are owned and maintained by your company?
- Yes
- No
- Vendor to support their answer with more details.
Internal Note:
This question is applicable if the third-party vendor is a service provider.
Question 19: If you answered “yes” to question 15, is your environment PCI DSS compliant?
- Yes
- No
- Vendor to support their answer with more details.
Internal Note
This question is applicable if the third-party vendor is a service provider.
Question 20: If you answered “yes” to question 15, do your PCI DSS assessments cover all the services you offer me?
- Yes
- No
- Vendor to support their answer with more details.
Internal Note
This question is applicable if the third-party vendor is a service provider. If you want to have confidence in the quality of the PCI DSS assessment this vendor uses, consider using a Vendor Risk Management solution with an in-built third-party assessment module, such as UpGuard.
Learn about UpGuard’s Security Questionnaire solution >
Question 21: What monitoring solutions are in place for detecting suspicious activity preceding a data breach?
- Vendor to provide a detailed response.
Question 22: What is your expected timeframe for notifying me if your product/solution is compromised in a data breach?
- Vendor to provide a detailed response.
Question 23: Should my company receive a PCI DSS violation penalty due to your product/service, will you offer support/protection?
- Yes
- No
- Vendor to support their answer with more details.
Question 24: Do you have a cyber insurance policy covering breaches related to your product/service?
- Yes
- No
- Vendor to support their answer with more details.
Internal Note
A data breach insurance policy demonstrates the third-party vendor takes its cybersecurity posture very seriously. If the vendor does have data breach insurance, ask them to provide details about the scope of the coverage.
Learn more about cyber insurance >
Question 25: If I suffer a breach due to your product/service acting as an attack vector, will you assist in the notification of all my impacted customers?
- Yes
- No
- Vendor to support their answer with more details.
Internal Note
If the vendor doesn’t plan to offer notification assistance, your security team should work with them to design a customer notification protocol in the event cardholder data is compromised. This protocol should be added to your Incident Response Plan.
Learn how to create an Incident Response Plan >
Question 26: If you answered “yes” to question 21, will you offer credit monitoring for all impacted customers?
- Yes
- No
- Vendor to support their answer with more details.
How UpGuard Supports Compliance with PCI DSS
The UpGuard platform includes a PCI DSS compliance questionnaire that identifies compliance gaps based on vendor responses.
With this vendor risk assessment solution within a Vendor Risk Management program, security teams can pass all identified risks through a complete VRM lifecycle, keeping third-party security postures resilient against data breach attempts and PCI DSS violations.
