One of the topics our team of QSA’s gets asked frequently is about what kind of language should be in PCI Service Provider contracts to meet the intent of PCI DSS requirement 12.8.2, which is as follows:
12.8.2Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess. | 12.8.2Verify that the written agreement includes an acknowledgement by the service providers of their responsibility for securing cardholder data. |
The following resources may be of value if you are struggling with how best to meet the intent of this requirement…
http://www.sans.org/reading_room/whitepapers/compliance/contracting-pci-dss-compliance_33403
This is a decent guide to using 3rd parties in relation to PCI compliance. Starting on page 15, you’ll find recommended language to include in contracts for requirement 12.8.
Also, North Carolina was kind enough to publish a sample contract template online, which looks pretty decent:
http://www.ncosc.net/programs/pci/PCI_Requirement_12.8_Sample_Addendum.doc
As with any legal documents, you should have your legal counsel review the final language, but hopefully this will help to create something they’ll be happy with.
Jeremy Simon, PCI QSA, CISSP, CISA
Practice Lead, PCI Compliance Services