12.8.3 An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

12.8.3 An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement.

Customized Approach Objective

The capability, intent, and resources of a prospective TPSP to adequately protect account data are assessed before the TPSP is engaged.

Defined Approach Testing Procedures

12.8.3.a Examine policies and procedures to verify that processes are defined for engaging TPSPs, including proper due diligence prior to engagement.

12.8.3.b Examine evidence and interview responsible personnel to verify the process for engaging TPSPs includes proper due diligence prior to engagement.

Purpose

A thorough process for engaging TPSPs, including details for selection and vetting prior to engagement, helps ensure that a TPSP is thoroughly vetted internally by an entity prior to establishing a formal relationship and that the risk to cardholder data associated with the engagement of the TPSP is understood.

Good Practice

Specific due-diligence processes and goals will vary for each organization. Elements that should be considered include the provider's reporting practices, breach-notification and incident response procedures, details of how PCI DSS responsibilities are assigned between each party, how the TPSP validates their PCI DSS compliance and what evidence they provide.

purpose

Ensure TPSPs provide evidence of PCI DSS compliance annually.

compliance strategies

Annual compliance attestation collection
AOC review

typical policies

TPSP Compliance Verification Policy

common pitfalls

No evidence collected
Expired AOCs

type

Process Control

difficulty

Moderate

key risks

TPSPs not compliant

recommendations

Automate AOC collection and reminders

Eligible SAQ

SAQ-A
SAQ-A-EP
SAQ-B
SAQ-B-IP
SAQ-C
SAQ-C-VT
SAQ-D MERCHANT
SAQ-D SERVICE PROVIDER