Latest Analyst Report: The 2023 Gartner® Market Guide for Supplier Risk Management Solutions

Hero compliance pci

PCI DSS Compliance

The PCI DSS and Third-Party Risk Management

The PCI DSS was developed to enhance cardholder data security and to facilitate the broad adoption of consistent data security measures globally. The standard applies to all entities that store, process or transmit cardholder data. With 12 requirements across six areas, the standard aims to ensure that organizations have the proper controls and procedures in place to secure cardholder data.

Specific to third-party risk management, PCI DSS requirements are applicable to organizations that have outsourced 1) their payment operations, or 2) the management of systems (such as routers, firewalls, databases, physical security, and/or servers) that are involved in transmitting, housing or protecting cardholder data. Those third parties are therefore responsible for ensuring that the data is protected per the applicable PCI DSS requirements.

It’s crucial for third parties to show compliance with PCI DSS requirements, and that’s where an internal controls assessment is essential – offering a survey with specific PCI requirement questions and the ability to include applicable agreements and contracts as evidence along with the answers. If a third party performs a PCI DSS assessment, they should: “…provide sufficient evidence to their customers to verify that the scope of the service provider’s PCI DSS assessment covered the services applicable to the customer and that the relevant PCI DSS requirements were examined and determined to be in place.”

All service providers with access to cardholder data – including shared hosting providers – must adhere to PCI DSS; shared hosting providers must protect each entity’s hosted environment and data. This page focuses specifically on those hosting provider requirements.

Align Your TPRM Program with ISO, NIST, SOC 2 and More

Download this guide to review specific requirements from 11 different cybersecurity authorities, identify TPRM capabilities that map to each requirement, and uncover best practices for ensuring compliance.

Read Now
Featured resource compliance handbook cybersecurity

Meeting PCI DSS Guidelines

Here's how Prevalent can help you address PCI DSS third-party risk management guidelines:

PCI Guidelines How We Help

Requirement 12: Maintain a policy that addresses information security for all personnel.

12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:

12.8.1 Maintain a list of service providers including a description of the service provided.

Prevalent offers an internal automated qualification assessment that enables you to gather required details about all entities your organization is working with from all departments. Prevalent utilizes standardized rule-based profiling and tiering logic to help risk and security teams understand the scope of their vendors. Through a combination of information collection and specific tiering questions, Prevalent leverages data interaction, financial, regulatory and reputational considerations to inform tiering. This process ensures that third parties are assessed properly according their importance to the organization and provides a central repository for vendor management.

12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.

Prevalent enables organizations to centralize agreements, contracts and supporting evidence with built-in task and acceptance management, plus mandatory upload features. A dedicated contract assessment in the platform raises risks related to the achievement of contract clauses. Visualizing breaches of certain contract requirements or clauses ensures that organizations have the insights they need when renewing contracts.

12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.

Prevalent delivers a customized PCI assessment that incorporates all 12 requirements, with built-in workflow to ensure the entire process – from survey collection and analysis to risk identification and reporting – is automated and efficient.

12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least annually

Prevalent offers a customizable survey to gather and analyze performance data, delivering a single repository of all third-party vendor evidence.

12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.

Prevalent enables organizations to centralize agreements, contracts and supporting evidence.

12.9 Additional requirement for service providers only: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.

Prevalent enables organizations to centralize agreements, contracts and supporting evidence with built-in task and acceptance management, plus mandatory upload features. A dedicated contract assessment in the platform raises risks related to the achievement of contract clauses. Visualizing breaches of certain contract requirements or clauses ensures that organizations have the insights they need when renewing contracts.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo