12.8 Risk to information assets associated with third-party service provider (TPSP) relationships is managed.

This requirement ensures that organizations properly manage the risk to information assets associated with third-party service provider relationships through formal agreements, due diligence, and monitoring processes.

Sub-requirements:

12.8.1 A list of all third-party service providers (TPSPs) with which account data is shared or that could affect the security of account data is maintained
12.8.2 Written agreements with TPSPs are maintained as follows
12.8.3 An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement
12.8.4 A program is implemented to monitor TPSPs' PCI DSS compliance status at least once every 12 months
12.8.5 Information is maintained about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any that are shared between the TPSP and the entity

12.8. Third-party service provider (TPSP) relationships are managed.

Ensure all TPSPs with access to cardholder data or the CDE are identified, managed, and monitored for PCI DSS compliance.

https://WithPCI.com

Sub-requirements

Test Points

Moderate (2.6)

Implementation Difficulty

Control Types

Process

Legal

Documentation

Process: 5

Legal: 1

Documentation: 1

Key Risks

Unmonitored third-party risk

Non-compliant vendors

Gaps in contract language

Frequently Asked Questions

What is a TPSP?

A third-party service provider with access to cardholder data or the cardholder data environment.

How are TPSPs managed?

Through inventories, written agreements, annual compliance verification, and ongoing monitoring.

What evidence of TPSP compliance is required?

Attestation of Compliance (AOC) or other documentation showing PCI DSS compliance.

How are TPSP contracts managed?

Contracts must include PCI DSS requirements and be reviewed regularly.

What happens if a TPSP is non-compliant?

The relationship is reviewed, and corrective action or termination may be required.

Common QSA Questions

Can you show your TPSP inventory and compliance records?

Yes, we maintain an up-to-date inventory and compliance documentation for all TPSPs.

How are TPSP contracts reviewed and updated?

Contracts are reviewed annually and updated as needed to include current PCI DSS requirements.

How is ongoing TPSP compliance monitored?

Through annual reviews, AOC collection, and risk assessments.

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy

Please enable JavaScript to view the comments powered by Disqus.Alternatively, you can view comments at our Disqus forum.