Service Providers and PCI Compliance, Part 3 – Remediating Missing Due Diligence

Service Providers and PCI Compliance, Part 3 – Remediating Missing Due Diligence

In part one of this series, we discussed an organization's PCI-DSS compliance obligations when they use cloud services (IAAS, PAAS, or SAAS). Part two contained a summary of up-front due diligence activities to perform to ensure that new service providers are initially assessed for PCI compliance and other risks so that the organization remains PCI compliant. However, we realize that in many organizations, the up-front due diligence train left the station years ago. In this post, we discuss remedies in these situations.


It really is about: Compliance. Compliance. Compliance.


A typical service provider relationship in the context of PCI exists without the proper due diligence taking place. An organization that identifies such service providers may itself be out of compliance with PCI-DSS control 12.8.2, which reads, “Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.”


The problem here is this: a service provider may not be willing to renegotiate an agreement during its term. However, if in the situation a specific service provider is not being held to comply with PCI-DSS through the business agreement, your leverage, while narrow, is this: it would look particularly bad for a service provider to refuse to be PCI compliant, given that they are storing, transmitting, or processing cardholder data (CHD) on behalf of your organization, and perhaps many others. Such a refusal would be, in effect, a statement of unwillingness to comply with PCI-DSS.


Another point of leverage is renewal time. Unless a business agreement with a service provider is perpetual with no end date, renewal (even if automatic) is an opportunity to bring the service provider back to the table. At the very least, an organization should be able to compel a service provider to agree to comply with PCI-DSS, even if just specific requirements or groups of requirements. This should be a welcome development, but it will be critical to go back to that Responsibility Matrix (you have that, right?) to ensure that there are no gaps in coverage. When a service provider has agreed to renegotiate an agreement, Part 2 of this series provides details on items to include in the agreement.


If a third-party service provider refuses to negotiate on even basic PCI-DSS compliance terms, an organization may need to consider severance of the agreement. Otherwise, the organization's PCI-DSS compliance may itself be in jeopardy. While a single service provider's refusal to agree in writing to be PCI-DSS compliant might not jeopardize the organization's compliance, it may nonetheless invite unwelcome scrutiny, particularly if the organization undergoes annual external PCI audits by a QSA firm. A scrupulous QSA auditor could call out the lack of such an agreement and mark this as an item to remedy prior to receiving a clean audit report.


When approaching the topic of renegotiating agreements with service providers, it is essential to allow plenty of time for extended discussions. Sounding the alarm at the last minute is not a productive way to bring parties to the table to agree on sweeping new obligations. Avoiding these situations is advised, and this avoidance requires planning and a good set of records that document all of the service providers, with all pertinent metadata including that Responsibility Matrix we keep mentioning. While time is not our friend, ample advance notice is the best tool to use to move the compliance needle in the right direction.


Part 4 of this series will explore compliance matters with third-party AOC’s. Future installments will address specific controls needed in selected IAAS providers.

Sean Smith
Practice Manager, PCI Advisory Services | Optiv
Sean Smith brings over 25 years of experience in information security, architecture, risk management, compliance, governance, strategy, and executive level leadership. In Sean’s role with Optiv, he is responsible for leading Optiv’s PCI Advisory Services organization. Sean has been a QSA for over 9 years and has been working in credit card compliance since before PCI DSS version 1.0. Over the course of Sean’s tenure with Optiv he has led and delivered numerous PCI DSS assessments and vCISO engagements providing executive level strategy on cardholder compliance, information security, and risk ensuring the successful implementation of strategies that align credit card compliance and information security with client business goals.

Prior to joining Optiv, Sean has the head of information security in several level 1 merchants and service providers in healthcare, finance, and retail verticals. Sean holds many industry certifications including CISSP, CISA, QSA, ASV, Secure Software Lifecycle Assessor, and Secure Software Assessor.
Peter Gregory
Director, Information Security
Peter Gregory is a director in Optiv's Office of the CISO. He is a leading security technologist and strategist with a long professional history of advancing security technology, compliance and risk management at all levels of corporate culture. He has published more than 40 books and authored more than 30 articles for leading trade publications in print and online.