Third-Party Service Providers and PCI DSS Compliance

The relationship between organizations and their third-party service providers (TPSPs) regarding PCI DSS compliance is often misunderstood. This article clarifies responsibilities and requirements for both parties.

Organization Responsibilities

Organizations that use third-party service providers remain responsible for ensuring PCI DSS compliance. When outsourcing payment processing or related functions, the organization must:

1. Perform due diligence when selecting service providers
2. Maintain written agreements that include acknowledgment of the service provider's responsibility for cardholder data security
3. Establish a process for monitoring the service provider's PCI DSS compliance status
4. Understand which PCI DSS requirements are handled by the service provider and which remain the organization's responsibility

Service Provider Responsibilities

Service providers must demonstrate PCI DSS compliance for all services that could impact the security of a customer's cardholder data environment, even if they don't directly store, process, or transmit payment card data. This includes:

1. Maintaining their own PCI DSS compliance
2. Providing evidence of compliance to customers
3. Clearly communicating which PCI DSS requirements they fulfill
4. For multi-tenant service providers, meeting additional requirements specified in PCI DSS Appendix A1

Evidence of Compliance

Service providers are expected to provide appropriate evidence of compliance to their customers, which may include:

Organizations should establish agreements with their service providers regarding how compliance information will be shared and verified.