Many times it occurs that companies fail to gain compliance with the Payment Card Industry Data Security Standard (PCI DSS) because they purchased a ‘magical’ service offered by some shifty vendors. To get PCI DSS compliant, companies are recommended to start by designing an explicit strategy for meeting this goal.

 

Formal documents

 

When buying a service from a third party, pay attention that the documents are correctly defined. The service provider should always:

  • submit a formal document defining the services offered
  • submit a formal document determining the PCI compliance scope
  • deliver the current Attestation of Compliance (AOC) document, where the PCI compliance is certified

When those documents are correctly defined, the Qualified Security Assessor (QSA) auditor will not audit requirements that have been already audited by others auditors.

 

Clarify Tasks and Responsibilities

 

It is of great importance that your company define the policies and procedures that involve the service provider and determine the task and responsibilities of each party against each requirement. Creating an extensive control-assigning table will bring clarity during the PCI process, especially needed when you work with multiple service providers.

The following table is a general example of how the control is assigned. It shows where the responsibility for providing the information lays for each of the PCI requirements. Your service provider will specify which part of the requirement is your responsibility and which is not. Therefore, you as a customer must complete the rest of the requirements based on the compliance part from the service provider:

Acknowledgement of the responsibility

 

Remember that hiring a third party will not automatically get you PCI DSS certified. You should always carefully analyse the scope of each service offered. Also, clarify and double-check the responsibility of the information providing. Make sure there is an agreement about this between you and the service provider. In addition, be aware that PCI-DSSv3.2 requirement 12.8 requires maintaining a written agreement that includes an acknowledgement of the responsibility of service providers over the Security of cardholder data.

About the author: 
Natalia Moreno is a security professional in PCI and has over 12 years of experience