PCI council releases third-party security assurance guidance

Share this article:
PCI council releases third-party security assurance guidance
The guidance is meant to help merchants and third parties better understand their roles and responsibilities in the payment security ecosystem.

The PCI Security Standards Council has published supplemental guidance to help merchants and third parties handling cardholder data better understand their security roles and responsibilities.

Released Thursday, the Third-Party Security Assurance Information Supplement (PDF) specifically fleshes out how companies can readily comply with Payment Card Industry Data Security Standard (PCI DSS) requirement 12.8. The document was created by over 160 organizations that are a part of the council's Special Interest Group (SGI).

According to the supplement, the guidance is not meant to “supersede, replace, or extend PCI DSS requirements,” but to focus on how entities can better vet third-party service providers (TPSPs) before establishing business relationships with them. In addition, the guidance will help merchants determine which third party services fall under the scope of their PCI DSS assessments. The document also aims to make clear which PCI DSS requirements are to be met by third parties or by the contracting entity.

Lastly, the new supplement walks businesses through crafting detailed written agreements when outsourcing, so that all parities are aware of their obligations, the guidance said.

The council defines TPSPs as a “business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data.”

On Monday, Troy Leach, CTO for the PCI Security Standards Council told SCmagazine.com in an interview that the guidance comes at an integral time when merchants are increasing their dependency on TPSPs and outsourcing certain services, particularly with the growth and adoption of cloud computing.

“One goal [of the supplement] was to detail scope, as that continues to be one of the most difficult things for merchants – to figure out where their payment card data is,” Leach said.

He later added that the guidance touches on the expansive payment security ecosystem, which can include third parties as well as companies TPSP's contract themselves.

“Things that this document talks about are those nested relationships [and] how can you manage those relationships a little bit better,” Leach said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Hackers grab email addresses of CurrentC pilot participants

Hackers grab email addresses of CurrentC pilot participants

Although the hack didn't breach the mobile payment app itself, consumer confidence may be shaken.

Operators disable firewall features to increase network performance, survey finds

Operators disable firewall features to increase network performance, ...

McAfee found that 60 percent of 504 surveyed IT professionals prioritize security as the primary driver of network design.

PCI publishes guidance on security awareness programs

PCI publishes guidance on security awareness programs

The guidance, developed by a PCI Special Interest Group, will help merchants educate staff on protecting cardholder data.