One of the topics our team of QSA’s gets asked frequently is about what kind of language should be in PCI Service Provider contracts to meet the intent of PCI DSS requirement 12.8.2, which is as follows:
12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess. | 12.8.2 Verify that the written agreement includes an acknowledgement by the service providers of their responsibility for securing cardholder data. |
The following resources may be of value if you are struggling with how best to meet the intent of this requirement.
This is a decent guide to using 3rd parties in relation to PCI compliance. Starting on page 15, you’ll find recommended language to include in contracts for requirement 12.8.
Also, North Carolina was kind enough to publish a sample contract template online.
As with any legal documents, you should have your legal counsel review the final language, but hopefully this will help to create something they’ll be happy with.
Jeremy Simon, PCI QSA, CISSP, CISA
Practice Lead, PCI Compliance Services
Get an update on PCI compliance. Discuss your PCI questions with our QSAs and team. Scope your requirements.
HALOCK is headquartered in Schaumburg, IL, in the Chicago area and advises clients on reasonable information security and conducts PCI preparedness assessment, scoping, remediation, validation, and compliance maintenance services throughout the US.