Managing Third-Party Service Providers (TPSPs) with PCI Proxy

Compliance
/
January 1, 2025
/
5 min read

Partnering with third-party service providers (TPSPs) has become an integral part of modern payment operations, for both, merchants, and service providers. Whether you are a global retailer working with multiple payment gateways and acquirers or a business outsourcing payment fraud detection to experts, leveraging specialized TPSPs is essential to staying competitive.

Working with TPSPs in the payments ecosystem often involves the exchange of sensitive payment data, such as the primary account number (PAN), ensuring the seamless delivery of services such as transaction processing, fraud prevention, and secure data storage. Every organization that interacts with payment data plays a crucial role in protecting its security, as even a single weak link in the chain can have devastating consequences for businesses and their customers.

To address the increasing risks associated with third-party relationships, the Payment Card Industry Security Standards Council (PCI SSC)has established specific third-party risk management requirements and just released updated guidance to help businesses better manage their TPSPs. These updates clarify how organizations should oversee TPSPs, outline the responsibilities TPSPs have towards their customers, and emphasize the shared responsibility of ensuring the security of payment data.

In this blog, we’ll explore the importance of effective TPSP management and dive into what PCI DSS compliance entails, empowering you to protect both your customers and your business with confidence.

What Evidence Must a TPSP Provide to Demonstrate PCI DSS Compliance?

As outlined above, there are different scenarios where businesses might use one or more TPSPs to store, process, or transmit payment data or that manage in-scope system components on the customer’s behalf. To determine which of your TPSPs fall within scope, look for TPSPs that have access to the customer’s CDE, manage in-scope system components on the customer’s behalf, and/or can impact the security of the customer’s cardholder data and/or sensitive authentication data.

When working with TPSPs, businesses must actively manage and oversee these partnerships to ensure compliance with PCI DSS requirements. At the same time, TPSPs must provide clear, actionable evidence to demonstrate their compliance status. Knowing the PCI DSS compliance status of all engaged TPSPs provides assurance and awareness about whether they comply with the requirements applicable to the services they offer to the organization.

If a TPSP has a PCI DSS Attestation of Compliance (AOC), the expectation is that the TPSP should provide that to customers upon request to demonstrate their PCI DSS compliance status. The AOC is the official document issued by the PCI SSC to confirm the results of a PCI DSS assessment, based on either a Self-Assessment Questionnaire D (SAQ D) or a Report on Compliance (ROC). It's important to note that if a TPSP only provides evidence of compliance with a subset of PCI DSS requirements (e.g., SAQ A), this is not sufficient for compliance validation. Same applies to certificates or non-official documents as they cannot replace authorized PCI SSC reporting templates like the AOC or ROC.

Additionally, per PCI DSS Requirements 12.9.1 and 12.9.2, TPSPs are obligated to share information on which PCI DSS requirements they are responsible for, and which requirements remain the customer’s responsibility as part of a shared responsibility matrix. This shared responsibility matrix ensures clarity in compliance obligations between TPSPs and their customers.

If the TPSP did not undergo a PCI DSS assessment, it may be able to provide other sufficient evidence to demonstrate that it has met the applicable requirements without undergoing a formal compliance validation. For example, the TPSP can provide specific evidence to the customer’s assessor so the assessor can confirm applicable requirements are met. Alternatively, the TPSP can elect to undergo multiple on-demand assessments by each of its customers’ assessors, with each assessment targeted to confirm that applicable requirements are met.

What Does “Managing TPSPs” Include?

Effective management of TPSPs involves more than just maintaining a list of vendors. Businesses must implement processes to ensure that all TPSPs with access to cardholder data meet the PCI DSS requirements. This includes conducting risk assessments, ensuring due diligence, defining security responsibilities, and continuously monitoring third-party activities.

The PCI DSS explicitly includes requirements for managing TPSPs, which can quickly become an overwhelming task depending on the number of service providers involved. The key requirements under PCI DSS for managing TPSPs include:

How PCI Proxy Can Support You

At PCI Proxy, we know how challenging it can be to manage and validate the compliance statuses of Third-Party Service Providers (TPSPs). With over 20years of expertise and a dedicated compliance team, we simplify this process for our customers by validating more than 500 TPSPs annually.

Our automated tools and proven workflows are designed to keep your TPSP relationships secure and compliant. By handling the complexities of validations and renewals, we take the heavy lifting off your shoulders. With our comprehensive validation service, you can focus on your core business while we ensure all compliance tasks are managed efficiently, minimizing your PCI DSS efforts.

As businesses increasingly rely on third-party providers, maintaining their compliance status is more critical than ever to secure your environment and safeguard sensitive data. PCI Proxy is here to guide you every step of the way, ensuring your TPSPs adhere to the highest security standards.

Have questions or need assistance? Don’t hesitate to reach out to us –we’re here to help!

Want to learn more?

Fill out the form below and a member of our team will be in touch.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Sascha Huwyler
Head of PCI Proxy

“Independent, fast and reliable – in this age of dizzying transformation, following through is more important than ever. We don’t promise anything we can’t actually deliver. And we stand by what we say.”

This is some text inside of a div block.
  Copied to clipboard