PCI DSS Compliance

Requirement 6: Develop and Maintain Secure Systems and Software

6.3 Security vulnerabilities are identified and addressed.

6.3.2 An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software is maintained to facilitate vulnerability and patch management.

6.3.2.a Examine documentation and interview personnel to verify that an inventory of bespoke and custom software and third-party software components incorporated into bespoke and custom software is maintained, and that the inventory is used to identify and address vulnerabilities.

6.3.2.b Examine software documentation, including for bespoke and custom software that integrates third-party software components, and compare it to the inventory to verify that the inventory includes the bespoke and custom software and third-party software components.

With the Prevalent Platform, you can require vendors to provide updated software bills of materials (SBOMs) for their software products and attach them as evidence or important documentation associated with the vendor. This will help you centralize the management of important artifacts and identify any potential vulnerabilities or licensing issues that may impact your organization’s security and compliance.

Requirement 12: Support Information Security with Organizational Policies and Programs

12.8 Risk to information assets associated with third-party service provider (TPSP) relationships is managed.

12.8.1 A list of all third-party service providers (TPSPs) with which account data is shared or that could affect the security of account data is maintained, including a description for each of the services provided.

12.8.1.a Examine policies and procedures to verify that processes are defined to maintain a list of TPSPs, including a description for each of the services provided, for all TPSPs with whom account data is shared or that could affect the security of account data.

12.8.1.b Examine documentation to verify that a list of all TPSPs is maintained that includes a Customized Approach Objective description of the services provided.

Using the Prevalent Platform, you can import third-party service providers into a central management system via a spreadsheet template or through an API connection to an existing procurement or vendor management solution, eliminating error-prone, manual processes.

The Platform provides a simple intake form for all stakeholders responsible for managing third parties so that all have input to the centralized third-party profile. This is available to everyone via email invitation, without requiring any training or solution expertise.

Build comprehensive third-party service provider profiles that include vendor firmographic details, geographic location, fourth-party technologies in use, and recent operational and financial insights with the Prevalent Platform. Having this accumulated data will enable you to report on and act against technology concentration risk.

12.8.2 Written agreements with TPSPs are maintained as follows:

• Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE.

• Written agreements include acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity’s CDE.

12.8.2.a Examine policies and procedures to verify that processes are defined to maintain written agreements with all TPSPs in accordance with all elements specified in this requirement.

12.8.2.b Examine written agreements with TPSPs to verify they are maintained in accordance with all elements as specified in this requirement.

With Prevalent, you can centralize the distribution, discussion, retention and review of vendor contracts to automate the contract lifecycle and ensure key clauses are enforced.

Key capabilities include:

• Centralized tracking of all contracts and contract attributes such as type, key dates, value, reminders, and status – with customized, role-based views
• Workflow capabilities (based on user or contract type) to automate the contract management lifecycle
• Automated reminders and overdue notices to streamline contract reviews
• Centralized contract discussion and comment tracking
• Contract and document storage with role-based permissions and audit trails of all access
• Version control tracking that supports offline contract and document edits
• Role-based permissions that enable allocation of duties, access to contracts, and read/write/ modify access

With this capability, you can ensure that clear responsibilities and right-to-audit clauses are articulated in the vendor contract, and SLAs tracked and managed accordingly.

12.8.3 An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement.

12.8.3.a Examine policies and procedures to verify that processes are defined for engaging TPSPs, including proper due diligence prior to engagement.

12.8.3.b Examine evidence and interview responsible personnel to verify the process for engaging TPSPs includes proper due diligence prior to engagement.

Start by quantifying inherent risks for all third parties using Prevalent. Criteria used to calculate inherent risk for third-party prioritization includes:

• Type of content required to validate controls
• Criticality to business performance and operations
• Location(s) and related legal or regulatory considerations
• Level of reliance on fourth parties
• Exposure to operational or client-facing processes
• Interaction with protected data
• Financial status and health
• Reputation

From this inherent risk assessment, your team can automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments.

Rule-based tiering logic enables vendor categorization using a range of data interaction, financial, regulatory, and reputational considerations

12.8.4 A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months.

12.8.4.a Examine policies and procedures to verify that processes are defined to monitor TPSPs’ PCI DSS compliance status at least once every 12 months.

12.8.4.b Examine documentation and interview responsible personnel to verify that the PCI DSS compliance status of each TPSP is monitored at least once every 12 months.

The Prevalent TPRM Platform includes a large library of pre-built templates for third-party risk assessments – including those specifically built around PCI. Assessments can be conducted at the time of supplier onboarding, contract renewal, or at any required frequency (e.g., quarterly, or annually) depending on material changes in the relationship.

Assessments are managed centrally and backed by workflow, task management and automated evidence review capabilities to ensure that your team has visibility into third-party risks throughout the relationship lifecycle.
Importantly, Prevalent includes built-in remediation recommendations based on risk assessment results to ensure that your third parties address risks in a timely and satisfactory manner and can provide the appropriate evidence to auditors.

As part of this process, the Prevalent Platform continuously tracks and analyzes external threats to third parties. The Platform monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

All monitoring data is correlated with assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting, remediation, and response initiatives.