Blog
Meeting PCI DSS Third-Party Risk Requirements

Meeting PCI DSS Third-Party Risk Requirements

Catherine Chipeta
Catherine Chipeta
updated Apr 21, 2022

Organizations must enact effective third-party risk management (TPRM) programs to ensure their vendors fulfill cybersecurity requirements. Otherwise, they risk carrying the financial and reputational harm caused by customer data breaches

The PCI DSS standard covers aspects of third-party risk management as it's applicable to all organizations that process credit card data, especially the heavily regulated finance industry.

Avoiding hefty fines and negative news headlines is enough to encourage PCI compliance. These fears often overshadow the practical benefits of the standard’s implementation, such as security posture maturity and more effective TPRM practices. 

This post outlines which PCI requirements are relevant to the third-party risk management process and how the UpGuard platform can help comply with each requirement across the vendor ecosystem.

If you’re already familiar with PCI DSS, click here to skip ahead to its third-party risk requirements.

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is an international information security standard that aims to protect credit card data and sensitive authentication data and reduce credit card fraud. 

The standard was first released in 2004, aligning the data security controls of five major payment brands – Visa, MasterCard, Discover, American Express, and JCB. 

PCI DSS has gone through many revisions since the five card brands formed its governing body  – the Payment Card Industry Security Standards Council (PCI SSC) – in 2006.

The most recent release of PCI DSS is v3.2.1, published in May 2018. The most significant changes since 2013 will come with the expected release of PCI DSS 4.0 in Q1, 2022, which will address digital transformation and the growing attack surface.

Any organization that processes credit or debit card data must be PCI compliant. Such organizations include:

  • Acquirers
  • Processors
  • Merchants
  • Banks
  • Third-party service providers

What are the PCI DSS Compliance Requirements?

The latest version of PCI DSS consists of 12 main requirements, divided across six broader objectives.

Objective 1: Build and Maintain a Secure Network and Systems 

Requirement 1. Install and maintain a firewall configuration to protect cardholder data. 

Requirement 2. Do not use vendor-supplied defaults for system passwords and other security parameters. 

Objective 2: Protect Cardholder Data 

Requirement 3. Protect stored cardholder data. 

Requirement 4. Encrypt transmission of cardholder data across open, public networks

Objective 3: Maintain a Vulnerability Management Program 

Requirement 5. Protect all systems against malware and regularly update anti-virus software or programs.

Requirement 6. Develop and maintain secure systems and applications. 

Objective 4: Implement Strong Access Control Measures 

Requirement 7. Restrict access to cardholder data by business need to know. 

Requirement 8. Identify and authenticate access to system components.

Requirement 9. Restrict physical access to cardholder data.

Objective 5: Regularly Monitor and Test Networks 

Requirement 10. Track and monitor all access to network resources and cardholder data.

Requirement 11. Regularly test security systems and processes. 

Objective 6: Maintain an Information Security Policy

Requirement 12. Maintain a policy that addresses information security for all personnel.

The PCI Security Standards Council requires annual validation of compliance. Merchants must complete Self-Assessment Questionnaires (SAQs) and will be subject to onsite audits by a Qualified Security Assessor if they deal with larger volumes of transactions.

Organizations that do not comply with PCI DSS are liable to fines ranging from $5,000 to $100,000 per month of non-compliance. 

PCI DSS Compliance Levels

There are four different levels of PCI DSS compliance requirements, dependent on:

  • The number of credit card transactions the merchant processes,
  • The payment processing medium the merchant uses, and 
  • The data breach status of the merchant. 

Level 1 

Covers merchants who process more than six million credit card transactions annually, including real-world and e-commerce transactions, OR any merchant who has recently experienced a data breach

Compliance Requirements

  • Annual audit by a Qualified Security Assessor (QSA)
  • Quarterly network scan performed by an Approved Scanning Vendor (ASV)
  • Annual receipt of an Attestation of Compliance (AoC) and Report on Compliance (RoC)

Level 2 

Covers merchants who process between one and six million credit card transactions annually, including real-world and e-commerce transactions.  

Compliance Requirements:

  • Annual completion of a Self-Assessment Questionnaire (SAQ) 
  • Quarterly network scan performed by an Approved Scanning Vendor (ASV)

Level 3 

Covers merchants who process between 20,000 and one million e-commerce transactions annually. 

Compliance Requirements:

  • Annual completion of a Self-Assessment Questionnaire (SAQ) 
  • Quarterly network scan performed by an Approved Scanning Vendor (ASV)

Level 4

Covers merchants who process fewer than 20,000 and one million e-commerce transactions annually, or up to one million real-world transactions annually. 

Compliance Requirements: 

  • Annual completion of a Self-Assessment Questionnaire (SAQ) 
  • Quarterly network scan performed by an Approved Scanning Vendor (ASV)

What are the PCI DSS Requirements for Third Parties?

The PCI Security Standards Council’s Information Supplement: Third-Party Security Assurance document states that entities may outsource their credit card operations to a third-party service provider (TPSP), such as “to store, process, or transmit cardholder data on the entity’s behalf, or to manage components of the entity’s cardholder data environment (CDE).”

 Common TPSPs include:

CDE components include:

  • Routers
  • Firewalls
  • Databases
  • Physical security 
  • And/or servers

While Council acknowledges that such TPSP “…can become an integral part of the entity’s cardholder data environment…impact an entity’s PCI DSS compliance….[and] the security of the cardholder data environment”, it stresses that an entity is “ultimate[ly] responsib[le] for its own PCI DSS compliance, [and not] exempt…from accountability and obligation for ensuring that its cardholder data (CHD) and CDE are secure.”

PCI SSC provides guidance across four main areas to help entities implement TPRM programs that meet the PCI DSS standard’s security requirements. 

1. Third-Party Service Provider Due Diligence

Practicing vendor due diligence to ensure potential vendors are reviewed and selected based on their security practices. 

2. Service Correlation to PCI DSS Requirements 

Reaching a mutual agreement on which PCI DSS requirements are to be fulfilled by the TPSP and those that the entity will fulfill, understanding that the entity is ultimately responsible for compliance.  

3. Written Agreements and Policies and Procedures

Creating written agreements that clearly state the mutual agreement reached by the TPSP and entity regarding PCI DSS compliance requirements. 

4. Monitor Third-Party Service Provider Compliance Status

Having visibility into the PCI DSS compliance status of each relevant TPSP to ensure the entity itself remains compliant. 

PCI DSS Third-Party Risk Requirements

The PCI Data Security Standard includes a condensed vendor risk management program, sectioned under requirement 12.8, containing five sub-requirements and an additional requirement specifically for third-party service providers.

Requirement 12.8

“Establish and implement policies and procedures to manage service providers where cardholder data is shared or may affect cardholder data security.”

The policies are procedures should cover the following sub-requirements. 

Sub-Requirement 12.8.1

“Maintain a list of service providers, including a description of the service provided.”

How UpGuard Can Help

UpGuard’s Vendor Inventory can instantly find, track, and monitor the security posture of any organization. The feature allows organizations to compare service providers against industry benchmarks and monitor their security posture over time in one centralized location. 

Click here to try UpGuard for free for 7 days.

Sub-Requirement 12.8.2

“Maintain a written agreement that includes an acknowledgment that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.”

How UpGuard Can Help

UpGuard allows organizations to upload any additional evidence, such as written agreements, during the risk assessment process for convenient future reference.

Click here to try UpGuard for free for 7 days.

Sub-Requirement 12.8.3 

 “Ensure there is an established process for engaging service providers, including proper due diligence prior to engagement.”

How UpGuard Can Help

UpGuard automates the entire vendor lifecycle, from onboarding to offboarding. Organizations can speed up their due diligence process with the UpGuard platform with pre-built security questionnaires and streamlined risk assessments. 

Click here to try UpGuard for free for 7 days.

Sub-Requirement 12.8.4

“Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.”

How UpGuard Can Help

UpGuard’s Shared Profile feature allows vendors to proactively upload supporting documentation, such as PCI DSS certification and audit reports, to validate compliance. Organizations can easily request further evidence or any required remediation through the platform.  

Click here to try UpGuard for free for 7 days.

Sub-Requirement 12.8.5

“Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.” 

How UpGuard Can Help

UpGuard automatically discovers potential vendor risks across 70+ attack vectors, allowing organizations to prevent potential data breaches through real-time reporting and automated remediation workflows. 

Click here to try UpGuard for free for 7 days.

Sub-Requirement 12.9 

“Additional requirement for service providers only: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.”

How UpGuard Can Help

Vendors of UpGuard customers can create a free account to receive and respond to security questionnaires and complete risk assessments. Using the Shared Profile feature, vendors can also store all relevant risk assessment documentation for easy future reference.

Click here to try UpGuard for free for 7 days.

Free

UpGuard logo in white
UpGuard free resources available for download
Learn more

Download our free ebooks and whitepapers

Insights on cybersecurity and vendor risk management.
UpGuard logo in white
eBooks, Reports & Whitepapers
UpGuard free resources available for download
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Abstract shapeAbstract shape

Related posts

Learn more about the latest issues in cybersecurity.
Deliver icon

Sign up to our newsletter

Get the latest curated cybersecurity news, breaches, events and updates in your inbox every week.
Abstract shapeAbstract shape
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan ratingAbstract shape