Understanding the PCI Security Standards Council’s Information Supplement on Third-Party Security Assurance

By: Vincent Booker, Senior Consultant at A-LIGN

Understanding the PCI Security Standards Council’s Information Supplement on Third-Party Security Assurance: What You Should Be Asking Based on the New Requirements and Guidance.

Third-Party Security Assurance

As companies expand their reliance on third-party services providers (“TPSP”s) to store, process, or transmit cardholder data (“CHD”) or manage components in the cardholder data environment (“CDE”), such as routers, firewalls, databases, physical security, and/or servers, the lines of responsibility have blurred. When it comes to protecting and securing CHD and the CDE, it is important to note that an organization is not exempt from accountability and obligation. When selecting a TPSP it is important for an organization to perform its due diligence in selecting a provider and to have effective policies and procedures, as well as specific agreements in place to ensure CHD and the CDE are protected.

Choosing a Secure TPSP

With a myriad of TPSPs available, how does an organization choose the provider that best suits their needs? The best and most obvious answer would be to select the TPSP that is currently PCI DSS compliant. But many TPSPs have not attained this certification, so what should an organization do?

  1. First, determine the level of involvement the TPSP will have regarding the storing, processing, or transmission of cardholder data. This step is critical for an organization in assessing risk related to PCI DSS compliance.
  2. Next, conduct due diligence research of the TPSP.  The research should be based on the scope of the services performed by the TPSP to protect and secure the organization’s CHD and or CDE.
  3. The third step would be to conduct a documented risk assessment of the TPSP based on industry accepted methodology. The risk assessment should include, but not be limited to, the following items:
    • Information Security
    • Human Resources Practices
    • Physical Security
    • Configuration Management
    • Access Authorization
    • Incident Response
    • Malware Controls
    • Segregation and Security Controls

After evaluating a TPSP, there are additional steps the organization should take to determine if the provider is a good security fit for their needs. Because opinions vary on scope regarding responsibility in safeguarding CHD or CDE, the organization should obtain evidence to validate the TPSP’s provisional claims.

One of the most important but often overlooked steps is to establish clear lines of communication with the TPSP. By establishing a firm communication structure, organizations can set expectations and avoid unexpected actions conducted by the TPSP such as making changes without notifying key personnel within organization. Some changes made by the TPSP can have a negative impact on the organizations PCI compliance. Organizations should setup a communications schedule to ensure that any changes that impact the organization are communicated prior to making a change. Changes that could have negative impact without prior knowledge or agreement include:

  • Changes to the CDE
  • Changes to the entity’s or TPSP’s payment processing structure
  • Changes in personnel responsible for maintaining operations with the TPSP and entity
  • Changes in personnel involved with the due diligence initiative
  • Changes in processes, procedures, and methodologies that impact the CDE
  • All other instances where an activity will impact the scope of the entity

Another important step is to determine how the services provided by the TPSP map to the organization’s PCI DSS requirements (The applicable requirements will vary depending on the services provided by the TPSP). Mapping will allow the organization to determine if safeguards are in place to protect the CDE. Most importantly, it can aid in the decision to utilize the services of a particular TPSP or eliminate them from contention if there are major deficiencies.

Written Agreements, Policies, and Procedures

Once the TPSP has been chosen, all written agreement should be in place documenting services provided and Service Level Agreements (SLAs). The agreement should be reviewed annually to ensure that the safeguards in place are sufficient for the protection of the CHD and or CDE.

Agreements between PCI DSS Compliant Third-Party Service Providers versus non-PCI DSS Compliant Third-Party Service Providers

As stated earlier establishing a third-party relationship with a provider that is PCI DSS compliant is a significantly easier route to take when choosing a TPSP. The organization can request the current attestation of compliance to demonstrate compliance with PCI DSS.

When choosing a TPSP without PCI DSS compliance, the organization may need to cover some or the entire TPSP’s environment as a part of its own PCI DSS assessment. If the TPSP has access to CHD or can impact the security of the CDE, this will fall under the scope of the organization’s PCI DSS compliance and will need to be assessed.

Data Breaches

The organization should have a clearly defined plan regarding incident response. The policy must be delineated to the TPSP with predetermined executables on how and when the organization needs to be notified of a suspected data breach. In addition to the incident response plan required by PCI DSS, payment card brands and national or regional laws may require breach notification.


After establishing and agreement with a TPSP, the organization must always be vigilant and monitor the provider for changes and established SLAs. It is imperative for the organization to understand that even though they are outsourcing some of the responsibility, ultimately they are responsible for protecting the CHD and CDE.

If you have additional questions about the PCI Security Standards Council’s Information Supplement on Third-Party Security Assurance or how A-LIGN can provide PCI DSS assessment services for your organization, please call: 888-702-5446 or email us at [email protected].