Compliance Management

PCI council releases third-party security assurance guidance


The PCI Security Standards Council has published supplemental guidance to help merchants and third parties handling cardholder data better understand their security roles and responsibilities.

Released Thursday, the Third-Party Security Assurance Information Supplement (PDF) specifically fleshes out how companies can readily comply with Payment Card Industry Data Security Standard (PCI DSS) requirement 12.8. The document was created by over 160 organizations that are a part of the council's Special Interest Group (SGI).

According to the supplement, the guidance is not meant to “supersede, replace, or extend PCI DSS requirements,” but to focus on how entities can better vet third-party service providers (TPSPs) before establishing business relationships with them. In addition, the guidance will help merchants determine which third party services fall under the scope of their PCI DSS assessments. The document also aims to make clear which PCI DSS requirements are to be met by third parties or by the contracting entity.

Lastly, the new supplement walks businesses through crafting detailed written agreements when outsourcing, so that all parities are aware of their obligations, the guidance said.

The council defines TPSPs as a “business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data.”

On Monday, Troy Leach, CTO for the PCI Security Standards Council told in an interview that the guidance comes at an integral time when merchants are increasing their dependency on TPSPs and outsourcing certain services, particularly with the growth and adoption of cloud computing.

“One goal [of the supplement] was to detail scope, as that continues to be one of the most difficult things for merchants – to figure out where their payment card data is,” Leach said.

He later added that the guidance touches on the expansive payment security ecosystem, which can include third parties as well as companies TPSP's contract themselves.

“Things that this document talks about are those nested relationships [and] how can you manage those relationships a little bit better,” Leach said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.