Third Party Service Provider (TPSP) Management Policy Template
| Company Name | [Company Name] |
| Effective Date | [Date] |
| Version | [Version] |
| Policy Owner | [CISO/IT Director] |
| Document Classification | Confidential / Internal Use Only |
| Parent Policy | Information Security Policy |
Purpose
This policy establishes a comprehensive framework for managing third-party service providers (TPSPs) at [Company Name] to ensure that all vendors with access to systems, networks, or data—especially those impacting the Cardholder Data Environment (CDE)—comply with PCI DSS Req 4.0.1 and company security requirements. The policy aims to protect the confidentiality, integrity, and availability of sensitive data and to address regulatory, operational, and reputational risks associated with third-party relationships.
Scope
This policy applies to all third-party vendors and service providers who:
- Access, process, store, or transmit cardholder data on behalf of [Company Name].
- Provide services that control or could impact the security of cardholder data or the CDE.
- Are engaged by [Company Name] in any capacity, whether on-premise or remotely, and regardless of contract value.
Roles and Responsibilities
| Role/Group | Key Responsibilities |
|---|---|
| Executive & Senior Management | - Ensure overall compliance with policy and PCI DSS requirements - Approve high-risk TPSP engagements - Allocate resources and oversee program effectiveness |
| Information Security & IT | - Oversee implementation and enforcement of this policy - Conduct due diligence, risk assessments, and periodic audits - Manage inventory of TPSPs and monitor compliance - Ensure vendor default modification and technical controls |
| Procurement & Legal | - Facilitate vendor selection and contract negotiation - Ensure inclusion of security, data protection, and PCI DSS clauses in agreements - Maintain contract documentation and lifecycle management |
| Business Units/Process Owners | - Identify business needs for TPSPs - Participate in risk assessment and due diligence - Monitor TPSP performance and report incidents |
| Third-Party Vendors/Service Providers | - Comply with [Company Name]'s information security and PCI DSS requirements - Promptly report security incidents or breaches - Cooperate with audits and incident response |
Policy Requirements
1. TPSP Inventory and Classification
- Maintain a comprehensive, up-to-date inventory of all TPSPs, including firmographic details, services provided, geographic location, compliance status, and contract information.
- Classify TPSPs by risk and criticality (e.g., high, moderate, low) based on inherent risk assessments considering data sensitivity, business impact, and regulatory exposure.
2. Vendor Default Modification Procedure
- All vendor-supplied defaults (passwords, SNMP strings, accounts) must be changed before system deployment or connection to the CDE.
- Remove or disable unnecessary default accounts.
- Document all changes, verification steps, and responsible personnel. Conduct periodic reviews and tests to verify compliance with this requirement.
3. TPSP Engagement and Due Diligence Process
- Initial Risk Assessment: Assess inherent risk using criteria such as data accessed, service criticality, regulatory requirements, financial/reputational risk, and reliance on fourth parties.
- Due Diligence:
- Collect and review documentation: security policies, incident response plans, certifications (e.g., PCI DSS AOC, ISO 27001, SOC 2), financial health, and legal/regulatory compliance.
- For TPSPs holding industry-recognized certifications, accept these as evidence for specific controls, but verify that the certification scope aligns with the services provided. Supplement with targeted assessments or questionnaires for any gaps.
- Engage SMEs to review technical controls and provide risk opinions.
- Document findings, assign risk ratings, and determine approval and monitoring requirements.
- Non-Disclosure Agreement (NDA): Execute NDAs prior to sharing sensitive information.
- Approval: Approvals are risk-based:
- Low risk: Department Manager
- Moderate risk: Information Security Officer
- High/critical risk: Executive Management/Board.
4. Contractual Requirements
- Maintain written agreements with all TPSPs handling or impacting cardholder data, including:
- Explicit acknowledgment of TPSP responsibility for data security and PCI DSS compliance.
- Detailed security requirements, right-to-audit, breach notification within 24 hours, data handling/destruction, and clear allocation of PCI DSS responsibilities.
- Version control, role-based access, and contract review workflow for lifecycle management.
5. Ongoing Monitoring and Compliance Verification
- Monitor TPSP PCI DSS compliance at least annually by collecting AOCs or other evidence.
- Use automated tools and workflows for risk assessments, evidence tracking, and remediation management.
- Continuously monitor for changes in vendor security posture, emerging threats, and regulatory developments (including dark web and reputational monitoring).
- Review and update TPSP inventory, risk ratings, and contract status at least annually or upon significant change.
6. Incident Response and Breach Notification
- Require TPSPs to report security incidents or breaches affecting [Company Name] within 24 hours, cooperate with investigations, and participate in incident response exercises.
- Regularly test incident response plans, including TPSP involvement, to ensure readiness.
7. Termination and Offboarding
- Ensure secure return or destruction of [Company Name] data, revocation of access, return of assets, and final security review upon TPSP contract termination.
- Document and track completion of offboarding steps.
8. Training and Awareness
- Provide security awareness training to TPSPs as appropriate, covering company-specific requirements and PCI DSS obligations.
- Ensure internal staff involved in TPRM have appropriate training and, where applicable, industry certifications (e.g., CTPRP).
9. Documentation and Evidence
- Maintain thorough documentation of all TPRM activities, including risk assessments, due diligence, contracts, monitoring, and incident response records, for audit and compliance purposes.
Enforcement
- Non-compliance by employees, departments, or TPSPs may result in disciplinary action, contract termination, access revocation, and/or legal action.
- Exceptions to this policy require written justification, risk assessment, compensating controls, and approval by the Information Security Officer and Executive Management. Exceptions must be time-bound and reviewed regularly.
Revision History
| Version | Date | Author | Change Details |
|---|---|---|---|
| 1.0 | 2025-04-21 | [Author Name] | Initial policy release |
Approval
| Name | Title | Signature | Date |
|---|---|---|---|
| [CISO Name] | Chief Information Officer | 2025-04-21 |
Appendix A: High-Level TPSP Engagement and Due Diligence Process
| Step | Description |
|---|---|
| 1 | Identify Business Need: Business unit identifies need for TPSP and submits request. |
| 2 | Initial Risk Assessment: Assess inherent risk based on data sensitivity, criticality, and regulatory exposure. |
| 3 | Due Diligence: Collect and review documentation (security policies, certifications, financials). Accept industry certifications (PCI DSS AOC, ISO 27001, SOC 2) as evidence where scope aligns; supplement with targeted assessments for gaps. Engage SMEs for technical review. |
| 4 | NDA Execution: Execute NDA before sharing sensitive data. |
| 5 | Approval: Route for risk-based approval (department, security, executive/board). |
| 6 | Contract Negotiation: Include all required security, compliance, and audit clauses. |
| 7 | Onboarding: Add to TPSP inventory, assign business owner, and set monitoring schedule. |
| 8 | Ongoing Monitoring: Conduct periodic risk/compliance reviews, update risk ratings, and monitor for changes and incidents. |
| 9 | Offboarding: Secure data return/destruction, revoke access, and close engagement. |
Note: If a TPSP holds a relevant industry certification, this may expedite the due diligence process, provided the certification’s scope and controls are validated as appropriate for the services provided. However, reliance on certification does not eliminate the need for risk-based assessment and ongoing monitoring.
Appendix B: Enhanced Due Diligence Checklist (Non-Certified TPSPs)
Use this checklist when TPSPs lack industry certifications (e.g., PCI DSS, ISO 27001, SOC 2).
| Category | Verification Requirements |
|---|---|
| Governance | - Review organizational structure for security accountability |
| - Validate documented risk management framework (NIST, ISO, etc.) | |
| - Confirm board-level oversight of cybersecurity programs | |
| Compliance | - Map controls to PCI DSS Req 4.0.1 requirements (explicitly) |
| - Verify adherence to GDPR, CCPA, and other region-specific regulations | |
| - Review audit trails for PCI DSS control enforcement (e.g., quarterly firewall rule reviews) | |
| Technical Controls | - Penetration test results for CDE-connected systems (last 12 months) |
| - Evidence of ASV scans for externally facing systems | |
| - Configuration standards for servers, firewalls, and databases | |
| Incident Response | - Tested incident response plan with card brand breach notification timelines |
| - Evidence of simulated breach exercises (e.g., tabletop scenarios) | |
| Data Protection | - Encryption methodology for PANs at rest and in transit (e.g., AES-256, TLS 1.2+) |
| - Key management processes (creation, rotation, destruction) | |
| Access Management | - Role-based access control (RBAC) matrices for CDE systems |
| - Quarterly reviews of privileged accounts | |
| Subcontractors | - List of fourth parties with access to CDE |
| - Evidence of nested TPSP PCI DSS compliance | |
| Business Resilience | - Disaster recovery RTO/RPO metrics aligned with PCI DSS Requirement Req 12.10 |
| - Geographic redundancy for critical payment systems |
Appendix C: PCI DSS 4.0.1 Requirements Matrix
| PCI DSS Requirement | Entity Responsibility | TPSP Responsibility | Evidence Required |
|---|---|---|---|
| Req. Requirement 2: Defaults | Maintain inventory of vendor defaults | Disclose all defaults pre-engagement | System configuration logs, change management records |
| Req. Req 8.3: MFA | Enforce MFA policies for remote access | Implement MFA for all CDE connections | Access logs, MFA configuration screenshots |
| Req. Req 12.8.5 | Document shared PCI DSS responsibilities | Provide responsibility matrix annually | Signed responsibility acknowledgment |
| Req. Req 3.5.1 | Define cryptographic architecture | Encrypt PANs using approved protocols | Cryptography audit reports, key management procedures |
| Req. Req 11.4.4 | Monitor intrusion detection systems | Alert entity of CDE anomalies within 1 hour | SIEM logs, incident response timelines |
Appendix D: Example Contract Clause for PCI DSS Requirement Requirement 12.8.2
By providing services to [Company Name], [Service Provider Name] acknowledges and agrees that it is responsible for maintaining the security of any account data it possesses, stores, processes, or transmits on behalf of [Company Name], or to the extent that it could impact the security of [Company Name]'s Cardholder Data Environment (CDE), in accordance with the Payment Card Industry Data Security Standard (PCI DSS) and any other applicable laws, regulations, or industry standards. [Service Provider Name] further acknowledges and agrees to implement and maintain appropriate security measures and controls to safeguard such data, including but not limited to encryption, access controls, monitoring, and incident response. [Service Provider Name] shall promptly notify [Company Name] of any actual or suspected security breach or unauthorized access to such data and shall cooperate with [Company Name] in investigating and resolving such incidents. This provision shall survive the termination or expiration of any agreement or relationship between the parties.
Appendix E: Service Provider List Template
| Service Provider | Description of Services Provided | Compliance Status | AOC Expiry Date | Agreement Location | Business Owner |
|---|---|---|---|---|---|
| [Provider Name] | [Description] | [Status] | [Date] | [Location] | [Name] |
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy