Organizations must enact effective Third-Party Risk Management (TPRM) programs to ensure their vendors fulfill cybersecurity requirements. Otherwise, they risk carrying the financial and reputational harm caused by customer data breaches.
The PCI DSS standard covers aspects of third-party risk management as it's applicable to all organizations that process credit card data, especially the heavily regulated finance industry.
Avoiding hefty fines and negative news headlines is enough to encourage PCI compliance. These fears often overshadow the practical benefits of the standard’s implementation, such as security posture maturity and more effective TPRM practices.
This post outlines which PCI requirements are relevant to the third-party risk management process and how the UpGuard platform can help comply with each requirement across the vendor ecosystem.
If you’re already familiar with PCI DSS, click here to skip ahead to its third-party risk requirements.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is an international information security standard that aims to protect credit card data and sensitive authentication data and reduce credit card fraud.
The standard was first released in 2004, aligning the data security controls of five major payment brands – Visa, MasterCard, Discover, American Express, and JCB.
PCI DSS has gone through many revisions since the five card brands formed its governing body – the Payment Card Industry Security Standards Council (PCI SSC) – in 2006.
The most recent release of PCI DSS is v4.0. This version addresses the unavoidable influence of digital transformation and growing attack surfaces on payment technology.
Lean how to comply with PCI DSS 4.0 >
Any organization that processes credit or debit card data must be PCI compliant. Such organizations include:
- Acquirers
- Processors
- Merchants
- Banks
- Third-party service providers
Find out if you need to hire an auditor for PCI compliance >
What are the PCI DSS Compliance Requirements?
The latest version of PCI DSS consists of 12 main requirements, divided across six broader objectives.
Learn how to choose a PCI DSS 4.0 compliance product >
Objective 1: Build and Maintain a Secure Network and Systems
Requirement 1. Install and maintain a firewall configuration to protect cardholder data.
Requirement 2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Objective 2: Protect Cardholder Data
Requirement 3. Protect stored cardholder data.
Requirement 4. Encrypt transmission of cardholder data across open, public networks.
Objective 3: Maintain a Vulnerability Management Program
Requirement 5. Protect all systems against malware and regularly update anti-virus software or programs.
Requirement 6. Develop and maintain secure systems and applications.
Objective 4: Implement Strong Access Control Measures
Requirement 7. Restrict access to cardholder data by business need to know.
Requirement 8. Identify and authenticate access to system components.
Requirement 9. Restrict physical access to cardholder data.
Objective 5: Regularly Monitor and Test Networks
Requirement 10. Track and monitor all access to network resources and cardholder data.
Requirement 11. Regularly test security systems and processes.
Objective 6: Maintain an Information Security Policy
Requirement 12. Maintain a policy that addresses information security for all personnel.
The PCI Security Standards Council requires annual validation of compliance. Merchants must complete Self-Assessment Questionnaires (SAQs) and will be subject to onsite audits by a Qualified Security Assessor if they deal with larger volumes of transactions.
Organizations that do not comply with PCI DSS are liable to fines ranging from $5,000 to $100,000 per month of non-compliance.
This checklist will help you track your PCI DSS compliance efforts. For assessing PCI DSS compliance with your vendors, use this free template.
Learn how to communicate third-party risk to the Board >
PCI DSS Compliance Levels
There are four different levels of PCI DSS compliance requirements, dependent on:
- The number of credit card transactions the merchant processes,
- The payment processing medium the merchant uses, and
- The data breach status of the merchant.
Level 1
Covers merchants who process more than six million credit card transactions annually, including real-world and e-commerce transactions, OR any merchant who has recently experienced a data breach.
Compliance Requirements:
- Annual audit by a Qualified Security Assessor (QSA)
- Quarterly network scan performed by an Approved Scanning Vendor (ASV)
- Annual receipt of an Attestation of Compliance (AoC) and Report on Compliance (RoC)
Level 2
Covers merchants who process between one and six million credit card transactions annually, including real-world and e-commerce transactions.
Compliance Requirements:
- Annual completion of a Self-Assessment Questionnaire (SAQ)
- Quarterly network scan performed by an Approved Scanning Vendor (ASV)
Level 3
Covers merchants who process between 20,000 and one million e-commerce transactions annually.
Compliance Requirements:
- Annual completion of a Self-Assessment Questionnaire (SAQ)
- Quarterly network scan performed by an Approved Scanning Vendor (ASV)
Level 4
Covers merchants who process fewer than 20,000 and one million e-commerce transactions annually, or up to one million real-world transactions annually.
Compliance Requirements:
- Annual completion of a Self-Assessment Questionnaire (SAQ)
- Quarterly network scan performed by an Approved Scanning Vendor (ASV)
What are the PCI DSS Requirements for Third Parties?
The PCI Security Standards Council’s Information Supplement: Third-Party Security Assurance document states that entities may outsource their credit card operations to a third-party service provider (TPSP), such as “to store, process, or transmit cardholder data on the entity’s behalf, or to manage components of the entity’s cardholder data environment (CDE).”
Common TPSPs include:
- Application hosting
- Data centers
- Payment gateway providers
- Cloud infrastructure
- Encryption or tokenization services
- Managed security services
- Payment processors
CDE components include:
- Routers
- Firewalls
- Databases
- Physical security
- And/or servers
While Council acknowledges that such TPSP “…can become an integral part of the entity’s cardholder data environment…impact an entity’s PCI DSS compliance….[and] the security of the cardholder data environment”, it stresses that an entity is “ultimate[ly] responsib[le] for its own PCI DSS compliance, [and not] exempt…from accountability and obligation for ensuring that its cardholder data (CHD) and CDE are secure.”
PCI SSC provides guidance across four main areas to help entities implement TPRM programs that meet the PCI DSS standard’s security requirements.
1. Third-Party Service Provider Due Diligence
Practicing vendor due diligence to ensure potential vendors are reviewed and selected based on their security practices.
2. Service Correlation to PCI DSS Requirements
Reaching a mutual agreement on which PCI DSS requirements are to be fulfilled by the TPSP and those that the entity will fulfill, understanding that the entity is ultimately responsible for compliance.
3. Written Agreements and Policies and Procedures
Creating written agreements that clearly state the mutual agreement reached by the TPSP and entity regarding PCI DSS compliance requirements.
4. Monitor Third-Party Service Provider Compliance Status
Having visibility into the PCI DSS compliance status of each relevant TPSP to ensure the entity itself remains compliant.
PCI DSS Third-Party Risk Requirements
The PCI Data Security Standard includes a condensed vendor risk management program, sectioned under requirement 12.8, containing five sub-requirements and an additional requirement specifically for third-party service providers.
Requirement 12.8
“Establish and implement policies and procedures to manage service providers where cardholder data is shared or may affect cardholder data security.”
The policies are procedures should cover the following sub-requirements.
Sub-Requirement 12.8.1
“Maintain a list of service providers, including a description of the service provided.”
How UpGuard Can Help
UpGuard’s Vendor Inventory can instantly find, track, and monitor the security posture of any organization. The feature allows organizations to compare service providers against industry benchmarks and monitor their security posture over time in one centralized location.
Click here to try UpGuard for free for 7 days.
Sub-Requirement 12.8.2
“Maintain a written agreement that includes an acknowledgment that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.”
How UpGuard Can Help
UpGuard allows organizations to upload any additional evidence, such as written agreements, during the risk assessment process for convenient future reference.
Click here to try UpGuard for free for 7 days.
Sub-Requirement 12.8.3
“Ensure there is an established process for engaging service providers, including proper due diligence prior to engagement.”
How UpGuard Can Help
UpGuard automates the entire vendor lifecycle, from onboarding to offboarding. Organizations can speed up their due diligence process with the UpGuard platform with pre-built security questionnaires and streamlined risk assessments.
Click here to try UpGuard for free for 7 days.
Sub-Requirement 12.8.4
“Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.”
How UpGuard Can Help
UpGuard’s Shared Profile feature allows vendors to proactively upload supporting documentation, such as PCI DSS certification and audit reports, to validate compliance. Organizations can easily request further evidence or any required remediation through the platform.
Click here to try UpGuard for free for 7 days.
Sub-Requirement 12.8.5
“Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.”
How UpGuard Can Help
UpGuard automatically discovers potential vendor risks across 70+ attack vectors, allowing organizations to prevent potential data breaches through real-time reporting and automated remediation workflows.
Click here to try UpGuard for free for 7 days.
Sub-Requirement 12.9
“Additional requirement for service providers only: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.”
How UpGuard Can Help
Vendors of UpGuard customers can create a free account to receive and respond to security questionnaires and complete risk assessments. Using the Shared Profile feature, vendors can also store all relevant risk assessment documentation for easy future reference.
Watch the video below to learn about some of UpGuard's compliance reporting features.
