Some recent breaches of cardholder data have been the direct result of a successful compromise of a trusted third party to the breached entity. For example, a factor in the well-publicized breach at Target may have been compromised credentials of a trusted service provider with access to the Target internal network. In order to attain and maintain PCI compliance, all businesses must control the risk that third party service providers pose to the cardholder data environment (CDE). It’s important to understand the activities that you’ll need to undertake to manage this risk (third party risk management or TPRM).

In this document, we’ll summarize physical boundaries, contractual agreements, and monitoring programs. Additionally, we’ll discuss the value that can be found in the Appendices of the August 2014 PCI DSS V3.0 Third Party Assurance Information Supplement, both A and B.


Background

The PCI Security Standards Council (PCI SSC or “The Council”) has published the PCI DSS V3.0 Third Party Assurance Information Supplement, dated August 2014, which is intended to provide guidance to entities engaging Third-Party Service Providers (TPSPs) with whom cardholder data (CHD) is shared or that could impact the security of CHD. The Council identifies TPSPs as entities that have involvement in the storing, processing, or the transmission of cardholder data or those that can affect the security of the Cardholder Data Environment (CDE). Prior to explaining how to manage these TPSP relationships, the information supplement provides examples of TPSP’s to help organizations properly determine which providers fall under PCI DSS Compliance obligations.

At forty-seven pages, the guidance may seem a little intimidating to those who are not intimately familiar with the Data Security Standard (DSS). However, all businesses, whether PCI compliant or not, should review this new clarification to ensure they understand how to perform due diligence on these entities, map services to PCI DSS requirements, know what should be included in written agreements with TPSP’s and how to properly monitor TPSP compliance status. Please keep in mind that this information supplement (just like all other information supplements released by the PCI SSC) does not supersede, replace, or extend the PCI DSS requirements, it is merely intended to provide additional guidance on how the new PCI DSS requirements can be addressed.

The Third Party Assurance Information Supplement reduces the ambiguity of the PCI DSS V3.0 requirements. In short, companies have three primary methods of managing third parties: physical boundaries, contracts, and monitoring programs.


Physical Boundaries

The information supplement explains that the scope of the services provided needs to be properly established. This includes the recommendation to establish physical boundaries between third parties that do not require access to cardholder data and network segments and systems that contain or transmit cardholder data. Every third party that can be removed from the scope of the annual PCI assessment is one less point of validation for the assessment.

Prior to engaging a new TPSP, the assessed entity should always perform due diligence to identify the impact that the TPSP has on the entity’s PCI DSS scope. Each organization will need to determine the appropriate due diligence path for researching a potential TPSP taking into consideration their own CDE. The Information Supplement provides a workflow (Figure 2: Example of Due Diligence Process) that details one high-level flow that an organization could follow when performing due diligence research on a potential TPSP.

The Supplement also recommends that organizations perform a risk assessment on its TPSP based on an industry-accepted methodology. The Information Supplement provides a high-level list of some of the questions and topics that may be appropriate to consider during a risk assessment on TPSP that should be reviewed and considered. If the organization needs guidance on how to perform a Risk Assessment, the PCI SSC offers another Supplement titled: PCI DSS Risk Assessment Guidelines.


Contractual Agreements

For those third parties that need access to network segments and systems containing cardholder data, a different set of rules apply. The next recommendation is to have a good contractual agreement with the third party that clearly defines expectations, change control, and validation requirements regarding all matters that can affect security. The PCI DSS V3.0 Third Party Assurance Information Supplement has a well-defined table outlining what businesses must do to engage third party service providers and when:


Third-Party Service Monitoring Program

The third and final recommendation for managing third parties is to develop a Third-Party Service Monitoring Program. The Council emphasizes that different levels of monitoring are appropriate for third parties with varying levels of impact on cardholder data security. Section 6.1.3 identifies the major activities for the monitoring program – summarizing, the section states:

  • Documentation/Evidence: “Define the evidence and supporting documentation that will be collected from Third-Party Service Providers for analysis and retention…”

  • TPSP PCI DSS Compliance Status Review: “Describe the PCI DSS compliance status review process in detail, including specific information elements to be examined…”

  • Results Write-up: “Develop a report specification—or a reporting template—to aid the reviewer in documenting the results of the review of the Third-Party Service Provider’s PCI DSS compliance status…”

  • Review Follow-up: “Specify how Third-Party Service Provider PCI DSS compliance status review results are to be shared and approved internally…”

  • Access Control and Data Retention: “Define policies for monitoring and control of program deliverables (for example, supporting documentation, evidence, and results reporting) during generation and subsequent storage…”

To review section 6.1.3 in its entirety, view pages 26-27 of the Information Supplement.


Appendices

Finally, the appendices provide excellent templates, tools, and guidance for managing your program. Appendix A is designed to help determine how PCI DSS requirements are shared between your company and your third party providers. Appendix A can actually assist you in filling out Appendix B. Whereas Appendix B takes this a step further and introduces a tool to identify PCI DSS requirements and which party carries the responsibility, or if the responsibility is shared.


Appendix A

Appendix A provides high-level discussion points for determining responsibility. One of the new requirements in version 3.0 of the PCI DSS (12.8.5) requires the assessed entity to maintain information about which PCI DSS requirements are managed by each service provider and which are managed by the entity. The information found in Appendix A will help organizations compile this information for their own records as it provides instructions on how to perform and document the following:

  • Steps to Determine Responsibility
  • Discussion Points
  • Entity or Third Party
  • Evidence to be Provided

Appendix A should be reviewed and tailored to the individual organization. It contains discussion points, but does not provide an exhaustive list. Organizations will need to consider their own circumstances, payment environment, the TPSP’s role, and other factors while going through the due diligence process.


Appendix B

Appendix B takes the information gathered in Appendix A and provides the entity with a Sample PCI DSS Responsibility Matrix that can be used to satisfy the documentation/evidence required to comply with the new 12.8.5 requirement. These two appendices are a great way for entities working with TPSPs to determine which PCI DSS requirements fall under which organization’s PCI DSS Scope and Responsibility.

Appendix B is not mandatory, but it can assist in answering important questions such as:

  • Who performs/manages/maintains the required control?
  • How is the control implemented, and what are the supporting processes?
  • How will the TPSP provide ongoing assurance and/or evidence that controls are being met? (reports, test results, notifications, etc.)

Remember, if a third party has access to your in-scope network segments or systems containing cardholder data, they will need to either be PCI compliant or they are part of your scope for PCI assessment. Just like good fences make good neighbors, good contracts and monitoring make for good third party partner relations. To learn more about the clarification surrounding third party vendor management, we suggest you download and read the full PCI DSS V3.0 Third Party Assurance Information Supplement.

So tell us what you think of this new Supplement. Does it help you with managing your third party vendors? Let us know in the comments.


Author: Viviana Wesley, PCI QSA