How to Know if an MSP is PCI DSS Compliant

Managed service providers (MSPs) provide a valuable service by outsourcing information technology services, but they need to be compliant with the Payment Card Industry Data Security Standard (PCI DSS) – and just because they say they’re PCI DSS compliant doesn’t mean they’re a good fit. Below are our tips to go beyond the PCI DSS logo on an MSP’s website and determine whether they’re truly compliant.

Your MSP Needs True PCI DSS Compliance

PCI DSS is a set of information security standards published by the PCI Security Standards Council (SSC) for organizations that store, process or transmit cardholder data. PCI DSS includes twelve requirements that organizations are required to implement for compliance. It is critical to understand which service offerings of a PCI DSS-complaint service provider are truly compliant and which requirements were included in the assessment. Merely selecting a service provider that says they are PCI DSS complaint could waste your time, money and resources – or put you at risk of being noncompliant.

Challenges with Selecting a PCI DSS Compliant MSP

A data center hosting provider is a good example of a challenge you may face when selecting an MSP. Data center hosting providers may have multiple service offerings from the traditional “rack and pipe” offerings (where they provide the facility, network connectivity and power but the hardware and management of the devices remain in your control) to a fully-managed solution where the hosting provider is responsible for the complete information technology environment. Add to the mix the cloud service offerings from the data center hosting provider and it can be challenging to determine where your compliance requirements and where the data center hosting provider’s requirements begin.

How to Determine an MSP’s PCI DSS Compliance

Step one: Ask for Evidence

The first step to determine the MSP’s PCI DSS compliance status is to ask for evidence of a recent onsite assessment by a Qualified Security Assessor (QSA). Upon completion of a PCI DSS assessment, an Attestation of Compliance (AOC) and Report on Compliance (ROC) are issued. The AOC should document in Part 2a all services that were both included and not included within the assessment.  As part of your vendor selection process, ask the MSP for their AOC and ROC. Some MSPs may not provide the full ROC, as it may contain confidential information, but will provide evidence of which requirements, services and locations were included in the PCI DSS assessment. However, don’t stop there.

There have been examples of MSPs providing PCI DSS evidence to clients that appear to show 95% of the requirements being covered by the data center hosting provider’s ROC – except the majority of the requirements covered in the scope of the MSP’s ROC applied only to their infrastructure and did not extend to the hosted clients’ environment. It is vital to not stop at step one and do your due diligence to ensure you won’t be unexpectedly on the hook for unforeseen requirements. You might want to ask your MSP for a responsibility matrix that defines both the MSP’s and customer’s responsibilities for each service offering of that MSP that you utilize.

Step Two: Review the Scope with the MSP

The next step is to review the scope of the assessment with the MSP to determine if their PCI DSS compliant processes apply only to their internal processes or do they extend to the managed services that the customer is purchasing. Without performing this critical step of clearly articulating the division of responsibilities between you and the MSP, proper division of responsibility may not be understood. The above-mentioned responsibility matrix may help with this process.  After receiving and vetting the responsibility information for each service, the next step is reviewing what requirements were assessed within the MSP’s assessment to ensure these were properly covered and found compliant.  It’s important to note that critical security controls may not be properly implemented to secure the cardholder data environment and it’s your responsibility to do your due diligence to ensure all requirements have been properly covered.

Step three: Ensure PCI DSS Requirements are Followed

The final step is to ensure the vendor management steps outlined by PCI DSS requirements are followed by the MSP. This includes implementing a written agreement that documents the MSP’s PCI DSS requirements in relation to the services they provide and annually verifying their PCI DSS compliance.  They should acknowledge their responsibility and not try to indemnify themselves from the areas they are responsible.

Looking Forward

As companies in the payment card industry look for ways to increase efficiencies and reduce information technology costs, MSPs will continue to be an important partner in achieving those goals. However, as processes and technology that have an impact on cardholder are outsourced, increased focus should be placed on the PCI DSS requirements and overall security of the data.

How A-LIGN Can Help

As a PCI SSC registered PCI DSS Qualified Security Assessor Company (QSAC), A-LIGN offers Payment Card Industry Data Security Standard (PCI DSS) services to help meet your firm’s compliance needs.


Have questions about PCI DSS? Contact the professionals at A-LIGN at [email protected] or 888-702-5446 to find out how we can help.