PCI Compliance for Third-Party Service Providers: Monitoring and Managing Requirements

Back to main Blog
Justin Bonk, CISSP, PCI-QSA, CIA, CFE, CISA, CIPP/US

Senior Manager, Freed Maxick Risk Advisory Services

PCI-Compliance

The Most Overlooked Component of PCI Compliance

Achieving and maintaining PCI (Payment Card Industry) compliance is a challenging endeavor for even the most seasoned of IT professionals. Compliance requires an organization to maintain strict control over its data, processes, configurations, and personnel.

PCI compliance, however, does not end with your organization – one of the most overlooked components is how your third-party service providers (vendors) impact the overall security of your credit card data. There are multiple, key vendor related sub requirements that can make the difference between an organization being compliant or non-compliant.

Vendor PCI Compliance Monitoring

First and foremost are the outright vendor monitoring requirements that can be found in PCI DSS Requirement 12.8 – the requirement to have a system in place for managing any third-party service provider that you share cardholder data with, or who could potentially affect the security of cardholder data you possess.

You should thoroughly analyze your operations and determine which vendors you utilize that meet this criterion. PCI requires you to maintain a listing of these vendors, as well as all PCI sub requirements that fall under each vendor’s purview. Most importantly, it is your responsibility to monitor these vendors’ PCI compliance. On an annual basis you should reach out to your vendor representative and request their most recent PCI Attestation of Compliance (AOC).

Each vendor’s AOC must be reviewed for several items of note:

  • (1) Is this vendor PCI compliant?
    • If yes, continue to monitor vendor performance throughout the vendor relationship. If no, you will need to gain an understanding of the nature of the vendor’s non-compliance, and assess if there are any procedures you will need to enact to address the underlying issues. You should maintain documentation of this assessment and any determinations you have made relative to the issue.
  • (2) Are the services you are receiving from this vendor covered in the Attestation of Compliance (AOC)?
    • You may be utilizing a vendor that provides a multitude of services to its customers. Section 2 of your vendor’s AOC will detail which services are covered in the scope of the assessment, and which services are not. If you don’t see the services you are receiving from the vendor included in this section, you should inquire of your vendor representative.
  • (3) Is the AOC current?
    • In other words, is the AOC dated within the last year? Generally speaking, an AOC that is over a year old is considered out of date. If the AOC you’ve been provided isn’t dated within the last year, you should reach out to your vendor representative and inquire as to the availability of a more current AOC.

Vendor Access Control

You may be utilizing vendors that, due to the nature of their services, require access to your system from time to time. Processes should be in place to ensure these vendors are adequately trained in information security practices, and that these vendors are aware of your organization’s information security policies and procedures. Access should be provisioned to these vendors only when needed, removed when no longer necessary, and monitored when in use.

Vendor Risk Assessment

PCI doesn’t outright require your organization to perform a vendor risk assessment, but vendor-related risk should absolutely be a consideration when performing your organization’s overall risk assessment. If you are sharing any cardholder data with vendors, your organization still bares ultimate responsibility (and risk) of any vendor related incidents or breaches. As part of your risk assessment process, you should be considering the likelihood and impact of such vendor risks, and assess your organization’s overall control strength and ability to mitigate those risks.

Guidance From Your Vendor

Your cardholder data environment (CDE) is composed of hardware and software products provided by vendors. As the maker of these products, vendor guides can provide key information about recommended use, configuration and maintenance. In fact, PCI compliance assessments require the comparison of vendor recommendations to actual configuration and operation of the hardware or software product. If your product isn’t configured and operated in alignment with vendor recommendations, you may be out of compliance with PCI. Specifically, you should ensure you are in alignment with the following:

(1) Configuration

Vendor guidance will often provide specific recommendations on how to configure their hardware of software in the most secure manner. Part of a PCI DSS assessment includes evaluating system configurations against vendor recommendations, so its critical that you’ve consulted vendor materials and configured your system accordingly.

(2) Patch Management

Vendors will periodically release patches to address performance issues or security flaws identified within their product. Vendor guides will provide useful detail in the vendor’s patching process, as well as any requirements that may be your responsibility. PCI requires critical patches be applied within 30 days of release, and any other patches be applied in a ‘reasonable timeline.’

(3) System Implementation:

System components such as payment applications or encryption solutions may be sold by vendors as ‘PCI Compliant.’ Specifically, payment applications may be validated according to the PA-DSS standard, and encryption solutions may be validated according to the PCI P2PE standard. This means the product is sold in a compliant manner, as long as it is implemented in accordance with instructions. Payment applications must be implemented in accordance with the application’s PA-DSS Implementation Guide, and point to point encryption solutions must be implemented in accordance with the vendor’s P2PE Instruction Manual (PIM). If implemented correctly, this may reduce the scope of your PCI DSS assessment.

(4) Removal of Defaults

A large portion of hardware and software products will have default IDs with administrator privileges and passwords out of the box. These default IDs and passwords are well publicized and available on the internet, making it critical that these defaults are deactivated or removed once the product has been successfully installed for the first time. Vendor guidance should provide useful information on these default accounts and the process for changing them.

(5) Vendor Due Diligence

PCI requires you to have an established process for engaging vendors, including the performance of proper due diligence in the vendor selection process. Be sure to address information security as part of the vendor selection process, and save any documentation surrounding vendor selection.

For More Information on PCI Compliance for Third-Party Service Providers

Instituting strong vendor monitoring and governance processes is a highly recommended business practice. Implementing monitoring and governance procedures within your overall PCI compliance framework can be challenging. Freed Maxick can help you along the path to PCI compliance, from consultations on the strengths, weaknesses and needs of your compliance program, to assessing and providing verification of compliance.

PCI compliance can be very technical and the differences between compliant and non-compliant can be subtle. Reach out to us via our contact form or call me at 716.332.2680 to schedule a discussion of your situation and needs.

Stay up to date