Skip to main content

Service Providers and PCI Compliance, Part 3 – Remediating Missing Due Diligence

October 09, 2019

In part one of this series, we discussed an organization's PCI-DSS compliance obligations when they use cloud services (IAAS, PAAS, or SAAS). Part two contained a summary of up-front due diligence activities to perform to ensure that new service providers are initially assessed for PCI compliance and other risks so that the organization remains PCI compliant. However, we realize that in many organizations, the up-front due diligence train left the station years ago. In this post, we discuss remedies in these situations.

It really is about: Compliance. Compliance. Compliance.

A typical service provider relationship in the context of PCI exists without the proper due diligence taking place. An organization that identifies such service providers may itself be out of compliance with PCI-DSS control 12.8.2, which reads, “Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.”

The problem here is this: a service provider may not be willing to renegotiate an agreement during its term. However, if in the situation a specific service provider is not being held to comply with PCI-DSS through the business agreement, your leverage, while narrow, is this: it would look particularly bad for a service provider to refuse to be PCI compliant, given that they are storing, transmitting, or processing cardholder data (CHD) on behalf of your organization, and perhaps many others. Such a refusal would be, in effect, a statement of unwillingness to comply with PCI-DSS.

Another point of leverage is renewal time. Unless a business agreement with a service provider is perpetual with no end date, renewal (even if automatic) is an opportunity to bring the service provider back to the table. At the very least, an organization should be able to compel a service provider to agree to comply with PCI-DSS, even if just specific requirements or groups of requirements. This should be a welcome development, but it will be critical to go back to that Responsibility Matrix (you have that, right?) to ensure that there are no gaps in coverage. When a service provider has agreed to renegotiate an agreement, Part 2 of this series provides details on items to include in the agreement.

If a third-party service provider refuses to negotiate on even basic PCI-DSS compliance terms, an organization may need to consider severance of the agreement. Otherwise, the organization's PCI-DSS compliance may itself be in jeopardy. While a single service provider's refusal to agree in writing to be PCI-DSS compliant might not jeopardize the organization's compliance, it may nonetheless invite unwelcome scrutiny, particularly if the organization undergoes annual external PCI audits by a QSA firm. A scrupulous QSA auditor could call out the lack of such an agreement and mark this as an item to remedy prior to receiving a clean audit report.

When approaching the topic of renegotiating agreements with service providers, it is essential to allow plenty of time for extended discussions. Sounding the alarm at the last minute is not a productive way to bring parties to the table to agree on sweeping new obligations. Avoiding these situations is advised, and this avoidance requires planning and a good set of records that document all of the service providers, with all pertinent metadata including that Responsibility Matrix we keep mentioning. While time is not our friend, ample advance notice is the best tool to use to move the compliance needle in the right direction.

Part 4 of this series will explore compliance matters with third-party AOC’s. Future installments will address specific controls needed in selected IAAS providers.

    Sean Smith

By: Sean Smith

See More

    Peter Gregory

By: Peter Gregory

Director, Information Security

See More

Related Blogs

September 04, 2019

Service Providers and PCI Compliance, Part 1 – Cloud Services and Your Obligations

This post is the first in a three-part series dedicated to companies working with service providers relating to PCI compliance. Part 1 below focuses o...

See Details

June 08, 2018

The Business Trusts the Third Party – Should You?

In this day and age we are faced with some hard facts within information security. One of those facts is that breaches are imminent and we must be pre...

See Details

October 01, 2019

Service Providers and PCI Compliance, Part 2 – Third-Party Risk Management

In this post, Service Providers and PCI Compliance, Part 2 – Third-Party Risk Management, we look more closely at the relationships between organizati...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.