Vendor Management and Third-Party Risks in PCI DSS Compliance

Shubhi Bhargava

April 12, 2025

PCI DSS compliance

Processing of cardholder data (CHD) for services and goods is widespread across business sectors, requiring companies to ensure protection of their customers’ payment card details. The Payment Card Industry Data Security Standard (PCI DSS) aims to ensure protection of the cardholder data and prevent credit card fraud. It provides a security standard to organizations that handle, process, store, or transmit payment card information, establishing a secure framework.

A well-structured Vendor Risk Management Program is a must for companies under PCI DSS compliance. Through proactive vendor selection, ongoing due diligence, periodic auditing, and risk reporting automation, organizations can protect CHD, mitigate third-party risk, and enjoy a robust security stance. Incorporating a VRM program specifically designed for PCI DSS compliance not only ensures compliance with regulatory requirements but also reinforces customer confidence in their payment security environment.

Third-party risk management can be difficult, particularly for organizations with a high volume of vendors. Typical challenges are:

Inability to gain visibility into TPSP security practices.
Inability to enforce contractual security requirements.
Dealing with the complexity of interdependent systems.

Types of Third-Party Service Providers (TPSPs)

TPSPs play a crucial role in payment security and can be categorized based on their involvement in handling cardholder data:

Entities that store, process, or transmit account data on behalf of an organization.
- Examples: Payment gateways, payment processors, payment service providers (PSPs), and off-site data storage providers.
Entities managing system components within the scope of PCI DSS compliance.
- Examples: Providers of network security controls, anti-malware services, Security Incident and Event Management (SIEM) solutions, contact and call centres, web-hosting companies, and cloud service providers offering IaaS, PaaS, SaaS, or Faas.
Entities that could impact the security of cardholder data and/or sensitive authentication data.
- Examples: Vendors providing remote support access and bespoke software developers.

Organizations must ensure that all TPSPs comply with PCI DSS requirements to maintain a secure payment ecosystem and mitigate third-party risks. PCI Requirement 12.8 specifically addresses the third-party vendor management, suggesting policies and controls for services with whom cardholder data is shared or the services that have an impact on cardholders’ data security.

Key PCI DSS Requirements Related to Vendor Management

12.8 Risk to information assets associated with third-party service provider (TPSP) relationships is managed.

12.8.1: Maintains a list of all TPSPs

Maintaining a list of all TPSPs identifies where potential risk extends outside the organization and defines the organization’s extended attack surface.

12.8.2: Maintaining written agreements for TPSPs

A TPSP’s written acknowledgment confirms its commitment to securing account data and recognizing the assets affected while providing services. The level of responsibility depends on the agreed service scope and contractual obligations with the assessed entity.

12.8.3: Conducting pre-engagement due diligence for TPSPs

A comprehensive process for involving TPSPs, with information for selection and screening before engagement, ensures that a TPSP is properly screened internally by an organization before a formal relationship is formed and that the risk to cardholder data involved in the engagement of the TPSP is known.

12.8.5: Establishing accountability of TPSPs

Records are kept of which PCI DSS requirements are handled by which TPSP, which are handled by the entity, and any that are shared between the entity and TPSP. Entities may record these responsibilities matrix that lists all PCI DSS requirements that apply and for each requirement shows whether the entity or TPSP is responsible for completing that requirement or if it is a shared responsibility.

PCI DSS Requirement 12.9 mandates that TPSPs support their customers’ PCI DSS compliance by ensuring security controls are in place for cardholder data. Organizations must establish clear agreements with TPSPs to define security responsibilities, ensuring compliance obligations are met.

PCI DSS Requirement 6.3.2 mandates that an inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software is maintained to facilitate vulnerability and patch management.

To ensure proper vulnerability and patch management, organizations need to have an inventory of custom and bespoke software, including third-party components. Such an inventory facilitates the identification of potential security vulnerabilities in custom as well as third-party software. Through monitoring and the application of security patches to third-party components, organizations are able to remedy vulnerabilities and protect their software against attacks.

Options for TPSPs to Validate PCI DSS Compliance for TPSP Services that Meet Customers’ PCI DSS Requirements

TPSPs should prove PCI DSS compliance upon request by organizations that operate compliance programs (e.g., payment brands, acquirers). When offering services that affect a customer’s PCI DSS requirements or security of cardholder data, the services fall under the customer’s PCI DSS audit criteria. TPSPs have two methods of proving compliance:

Annual Assessment: The TPSP completes a yearly PCI DSS assessment and provides proof to customers to indicate compliance.

On-Demand Assessments: If no annual assessment occurs, the TPSP undergoes assessments upon customer request or participates in customer assessments, sharing the results.

In the event the TPSP performs its own evaluation, it should evidence that the scope included the related services and PCI DSS requirements. This should include offering an Attestation of Compliance (AOC) or applicable portions of the Report on Compliance (ROC) as requested. Where the TPSP lacks an AOC, it should evidence compliance with relevant PCI DSS requirements.

Responsibilities Between TPSP Customers and TPSPs

When a TPSP provides services that help meet PCI DSS requirements or impact the security of cardholder and authentication data. Both parties must clearly identify and understand:

The services and components covered in the TPSP’s PCI DSS assessment.
The specific PCI DSS requirements and sub-requirements addressed by the TPSP’s assessment.
Requirements that customers are responsible for in their own PCI DSS assessments.
Shared PCI DSS requirements between the TPSP and its customers.

For example, a cloud provider must define which of its IP addresses are included in the scope of the PCI DSS assessment.

At SandBox Security, a PCI QSA company, we specialize in guiding financial organizations to achieve and sustain PCI DSS compliance, empowering them to thrive in an era of digital risk. For support and guidance, reach out to us: contactus@sandboxsecurity.ai

Tags :

Cyber Security, PCI DSS, PCI DSS compliance

Share this article :