One of the topics our team of QSA’s gets asked frequently is about what kind of language should be in PCI Service Provider contracts to meet the intent of PCI DSS requirement 12.8.2, which is as follows:
12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess. | 12.8.2 Verify that the written agreement includes an acknowledgement by the service providers of their responsibility for securing cardholder data. |
The following resources may be of value if you are struggling with how best to meet the intent of this requirement.
This is a decent guide to using 3rd parties in relation to PCI compliance. Starting on page 15, you’ll find recommended language to include in contracts for requirement 12.8.
Also, North Carolina was kind enough to publish a sample contract template online.
As with any legal documents, you should have your legal counsel review the final language, but hopefully this will help to create something they’ll be happy with.
Jeremy Simon, PCI QSA, CISSP, CISA
Practice Lead, PCI Compliance Services
Get an update on PCI compliance. Discuss your PCI questions with our QSAs and team. Scope your requirements.
HALOCK is headquartered in Schaumburg, IL, in the Chicago area and advises clients on reasonable information security and conducts PCI preparedness assessment, scoping, remediation, validation, and compliance maintenance services throughout the US.
PCI DSS Requirements
PCI DSS Requirement 5.4.1: Anti-spoofing controls such as DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) can help stop phishers from spoofing the entity’s domain and impersonating personnel.
Clarification on eCommerce Outsourcing PCI DSS requirements 6.4.3 and 11.6.1
Unpacking the New PCI DSS Password Standards
Is Your Organization Prepared for PCI DSS Automation – Requirement 10.4.1.1?
What is the PCI DSS v4 Authenticated Scanning Mandate – Requirement 11.3.1.2?
What is the PCI DSS v4.0.1 Requirement for PoLP – Requirement 7.2.5?
The New PCI DSS v4.0.1 Software Catalog Mandate – Requirement 6.3.2
How to Analyze An Attestation of Compliance (AOC)
PCI Compliance New Requirements and Targeted Risk Analysis (TRA)
RESOURCES & NEWS
Learn more about Penetration Testing and new exploits in HALOCK’s Exploit Insider.
The Dangers of Legacy Protocols
PCI Targeted Risk Analysis & DoCRA
https://www.halock.com/pci-compliance-new-requirements-and-targeted-risk-analysis/
HIPAA & Penetration Testing & Incident Response Plans
Top Threats in Healthcare
https://www.halock.com/top-cyber-threats-in-healthcare/
Cloud Security Risk Management
https://www.halock.com/prioritized-findings-and-remediation-in-cloud-security-reporting/
Penetration Testing Reports to Manage and Prioritize Risk
https://www.halock.com/a-threat-based-approach-to-penetration-test-reporting/