Back in March we discussed how the use of purpose built payment terminals can minimize your data breach exposure by isolating sensitive cardholder data to systems that have very small attack surfaces which hackers are unlikely to penetrate. While diligently maintaining the data security posture of your own internal IT infrastructure continues to be of paramount importance, section 12.8 of the Payment Card Industry Data Security Standards (PCI DSS) version 3.1 specifically mandates that merchants must take steps to monitor the PCI DSS compliance of all third party service providers with access to cardholder data.
In other words, it is ultimately your responsibility to ensure any service providers you utilize to process, store or transmit cardholder data are PCI DSS compliant. Businesses that closely adhere to section 12.8 of the PCI DSS can greatly reduce their liability for a cardholder data security breach that occurs at a third party service provider.
Some examples of third party vendors that may fall within scope of PCI DSS section 12.8 include merchant account providers, payment gateway providers, cloud-based POS system providers, off-site or cloud-based data back-up providers, data center and managed IT services providers. It is important to note that Payment Logistics does process, transmit and store cardholder data and as a result we are required to validate compliance with the PCI DSS annually by undergoing an onsite audit which is performed by a Qualified Security Assessor who has been certified by the Payment Card Industry Security Standards Council.
Section 12.8 of the PCI DSS version 3.1 clearly outlines the requirements for monitoring third party vendors who handle cardholder data. The below steps can help you determine the PCI DSS status of various service providers:
- Reach out to third party vendors and request their PCI DSS compliance status. If they are PCI DSS compliant, they should be able to provide you with a copy of their Attestation of Compliance (AOC). Be sure to verify that the scope of their PCI DSS assessment covered the services applicable to your business and that the relevant PCI DSS requirements were examined and determined to be in place. If a provider cannot provide you with their AOC, ask them to provide you with a written explanation of why they are not in scope of the PCI DSS or what their plan and timeline is to become compliant with the PCI DSS.
- Verify PCI DSS compliance status on the Visa® Global Registry of Service Providers: www.visa.com/splisting.
- Follow-up with third party service providers annually at a minimum to ensure they are maintaining compliance with the PCI DSS.
- Familiarize yourself with all of the PCI DSS requirements. Don’t rely on anyone else to provide you with accurate information regarding the security of your business data.
For additional information regarding PCI DSS, including section 12.8, download the PCI DSS Requirements and Security Assessment Procedures version 3.1 online by clicking here.
If you have any questions regarding PCI DSS compliance, do not hesitate to contact our Customer Support team at 888.624.3687, M-F, 7am-5:30pm Pacific.