The Payment Card Industry Security Standards Council (PCI-SSC) today released recommendations for meeting the PCI Data Security Standard (PCI-DSS) when sharing cardholder data with third party service providers. PCI-DSS requires a merchant or other entity in entrusted with cardholder data to ensure that cardholder data continues to be protected when it is provided to a third party.
The guidance focuses on helping organizations and their business partners implement a third-party assurance program. The guidance includes recommendations on conducting due diligence and risk assessment when engaging third party service providers, implementing a process for engaging third-parties that includes setting expectations, establishing a communication plan, and mapping third-party services and responsibilities to applicable PCI DSS requirements, developing agreements and policies and procedures with third party service providers and implementing a relationship-management process for the entire life cycle of the third party relationship.
The guidance includes information on when due diligence with respect to a third party’s PCI-DSS compliance may be required and an example of a due diligence process. It also reminds organizations that they cannot outsource their own PCI-DSS accountability and compliance by using a third party service provider. However, as the guidance points out, “A robust and properly implemented third-party assurance program assists an entity in ensuring that the data and systems it entrusts to TPSPs are maintained in a secure and compliant manner. Proper due diligence and risk analysis are critical components in the selection of any TPSP.”