Service Providers and PCI Compliance, Part 3 – Remediating Missing Due Diligence

In part one of this series, we discussed an organization's PCI-DSS compliance obligations when they use cloud services (IAAS, PAAS, or SAAS). Part two contained a summary of up-front due diligence activities to perform to ensure that new service providers are initially assessed for PCI compliance and other risks so that the organization remains PCI compliant. However, we realize that in many organizations, the up-front due diligence train left the station years ago. In this post, we discuss remedies in these situations.

It really is about: Compliance. Compliance. Compliance.

A typical service provider relationship in the context of PCI exists without the proper due diligence taking place. An organization that identifies such service providers may itself be out of compliance with PCI-DSS control 12.8.2, which reads, “Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.”

The problem here is this: a service provider may not be willing to renegotiate an agreement during its term. However, if in the situation a specific service provider is not being held to comply with PCI-DSS through the business agreement, your leverage, while narrow, is this: it would look particularly bad for a service provider to refuse to be PCI compliant, given that they are storing, transmitting, or processing cardholder data (CHD) on behalf of your organization, and perhaps many others. Such a refusal would be, in effect, a statement of unwillingness to comply with PCI-DSS.

Another point of leverage is renewal time. Unless a business agreement with a service provider is perpetual with no end date, renewal (even if automatic) is an opportunity to bring the service provider back to the table. At the very least, an organization should be able to compel a service provider to agree to comply with PCI-DSS, even if just specific requirements or groups of requirements. This should be a welcome development, but it will be critical to go back to that Responsibility Matrix (you have that, right?) to ensure that there are no gaps in coverage. When a service provider has agreed to renegotiate an agreement, Part 2 of this series provides details on items to include in the agreement.

If a third-party service provider refuses to negotiate on even basic PCI-DSS compliance terms, an organization may need to consider severance of the agreement. Otherwise, the organization's PCI-DSS compliance may itself be in jeopardy. While a single service provider's refusal to agree in writing to be PCI-DSS compliant might not jeopardize the organization's compliance, it may nonetheless invite unwelcome scrutiny, particularly if the organization undergoes annual external PCI audits by a QSA firm. A scrupulous QSA auditor could call out the lack of such an agreement and mark this as an item to remedy prior to receiving a clean audit report.

When approaching the topic of renegotiating agreements with service providers, it is essential to allow plenty of time for extended discussions. Sounding the alarm at the last minute is not a productive way to bring parties to the table to agree on sweeping new obligations. Avoiding these situations is advised, and this avoidance requires planning and a good set of records that document all of the service providers, with all pertinent metadata including that Responsibility Matrix we keep mentioning. While time is not our friend, ample advance notice is the best tool to use to move the compliance needle in the right direction.

Part 4 of this series will explore compliance matters with third-party AOC’s. Future installments will address specific controls needed in selected IAAS providers.