Meeting PCI DSS Third-Party Shared Hosting Provider Requirements

Originally developed in 2004 and revised consistently since, the Payment Card Industry Data Security Standard (PCI DSS) aims to enhance cardholder data security and to facilitate the broad adoption of consistent data security measures worldwide. The standard applies to all entities that store, process or transmit cardholder data. With 12 requirements across six areas, the standard is designed to ensure that organizations have the proper controls and procedures in place to secure cardholder data.

Specific to third-party risk management, PCI DSS requirements are applicable to organizations that have outsourced:

• their payment operations, or;
• the management of systems (such as routers, firewalls, databases, physical security, and/or servers) that are involved in transmitting, housing or protecting cardholder data.

Third parties are therefore responsible for ensuring that the data is protected per the applicable PCI DSS requirements.

It’s crucial for third parties to show compliance with PCI DSS requirements, and that’s where a vendor risk assessment is essential – offering a survey with specific PCI requirement questions and the ability to include applicable agreements and contracts as evidence along with the answers. If a third party performs a PCI DSS assessment, they should:

“…provide sufficient evidence to their customers to verify that the scope of the service provider’s PCI DSS assessment covered the services applicable to the customer and that the relevant PCI DSS requirements were examined and determined to be in place.”

All service providers with access to cardholder data – including shared hosting providers – must adhere to PCI DSS; shared hosting providers must protect each entity’s hosted environment and data. This blog focuses specifically on those hosting provider requirements.

PCI DSS Requirements

Please see list below for a summary of the third party-related PCI DSS guidance, and how Prevalent can help your organization address these requirements. For the purposes of this blog (and considering the breadth of the PCI standard) only requirements 12.8 and 12.9 are reviewed. With regard to Appendix A1 (Additional PCI DSS Requirements for Shared Hosting Providers), the requirement and associated testing procedures can be accomplished through assessments available in the Prevalent platform.

Please be sure to review the entire PCI DSS standard to determine how each requirement applies to your business.

Requirement 12.8

Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data

12.8.1 Maintain a list of service providers including a description of the service provided

Prevalent offers an internal automated qualification assessment that enables you to gather required details about all entities your organization is working with from all departments to satisfy the requirements of 12.8.1. Prevalent utilizes standardized rule-based profiling and tiering logic to help risk and security teams understand the scope of their vendors. Through a combination of information collection and specific tiering questions, Prevalent leverages data interaction, financial, regulatory and reputational considerations to inform tiering. This process ensures that third parties are assessed properly according their importance to the organization and provides a central repository for vendor management.

12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.

Prevalent enables organizations to centralize agreements, contracts and supporting evidence with built-in task and acceptance management, plus mandatory upload features to accommodate 12.8.2. A dedicated contract assessment in the platform raises risks related to the achievement of contract clauses. Visualizing breaches of certain contract requirements or clauses ensures that organizations have the insights they need when renewing contracts.

12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.

Prevalent delivers a standardized PCI assessment incorporating all 12 requirements, with built-in workflow to ensure the entire process – from survey collection and analysis to risk identification and reporting – is automated and efficient.

12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.

Building on the requirement in 12.8.3, Prevalent offers a customizable survey to gather and analyze performance data, delivering a single repository of all third-party vendor evidence.

12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.

Prevalent enables organizations to centralize agreements, contracts and supporting evidence.

Requirement 12.9

Additional requirement for service providers only

Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.

Prevalent enables organizations to centralize agreements, contracts and supporting evidence with built-in task and acceptance management, plus mandatory upload features. A dedicated contract assessment in the platform raises risks related to the achievement of contract clauses. Visualizing breaches of certain contract requirements or clauses ensures that organizations have the insights they need when renewing contracts.

The Prevalent Difference

Prevalent can help address the third-party requirements published in the PCI standard by:

• Assessing third-parties using a comprehensive standardized PCI assessment built-in to the Prevalent platform.
• Automatically generating a risk register once a survey has been completed, filtering out any unnecessary noise and zeroing-in on areas of possible concern.
• Matching documentation or evidence against risks and vendors, creating an audit trail for review.
• Reporting against PCI compliance, including projecting future risks and compliance once recommended remediations are applied.
• Identifying relationships between your organization and third parties to discover dependencies and visualize information paths.

With advisory, consulting and managed services, organizations that need to assess their third parties for PCI compliance can be assured of best practices with Prevalent.