PCI, Service Providers, and You

Donald Mills
Aug 19, 2021 3:30:00 PM

As merchants increasingly utilize trusted partners to maintain and manage critical pieces of their business, information technology, and security infrastructure, it becomes necessary to build a program to manage these vendors.

Businesses that process credit card payments are required by their merchant agreements to be compliant with the Payment Card Industry Data Security Standard (PCI DSS). Dependent on how the merchant processes card transactions, they can be required to validate as few as 22 PCI controls to over 220 controls during their annual assessment. Vendors offer services to help merchants with all the PCI controls, but the merchant is always responsible for their own compliance and no matter how they process cards, 6 controls for PCI service provider management are always applicable.

What is a Service Provider and How Should You Manage Them?

A service provider for PCI purposes is a business entity (that’s not a payment brand or an internet service provider that only provides a communication link) a merchant uses to store, process, or transmit cardholder data (CHD) or could impact the security of the merchant’s cardholder data environment (CDE).

If a business is part of the payment flow for a merchant or if any of the merchant’s PCI security controls could reasonably be impacted by that business, they should be managed as a PCI service provider subject to these 6 controls:

  • 12.8 - Are policies and procedures maintained and implemented to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows:
    • 12.8.1 - Is a list of service providers maintained, including a description of the service(s) provided?
    • 12.8.2 - Is a written agreement maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment?
    • 12.8.3 - Is there an established process for engaging service providers, including proper due diligence prior to engagement?
    • 12.8.4 - Is a program maintained to monitor service providers’ PCI DSS compliance status at least annually?
    • 12.8.5 - Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity?

Let’s breakdown what each of these controls means and how they can be met:

12.8 - This is the overarching service provider management control and defines that the merchant must have policies and procedures for 12.8.1-12.8.5; this control is met by having documentation for and being compliant with the 5 sub-controls.

12.8.1 - This control requires the merchant to maintain a list of their PCI service providers and information about what each service provider does for the merchant.

In a large, complex environment this could require a vendor management solution. But for most merchants, having a vendor management policy stating that a list of PCI service providers with information on the services they provide will be maintained and updated when a service provider is onboarded would be sufficient. The list could be maintained in an Excel file, a Word document, or a SharePoint list and look something like this:

Service Provider Name Service(s) Provided
Amazon (AWS) Shared hosting provider for public facing ecommerce servers


12.8.2 - This requirement can be easiest to meet if it’s part of the vendor onboarding process by including language in the contract or master service agreement but can be difficult to address after a vendor is engaged.

A merchant’s vendor management policy should require that PCI service providers include written agreements that the vendor will secure CHD they handle on the client’s behalf and that the services being offered that could impact the security of the merchant’s CDE will meet PCI DSS requirements.

12.8.3 - Performing due diligence before onboarding a vendor is essential to managing your PCI compliance and this control can be accomplished by documenting the process the merchant will use to be compliant with the PCI service provider controls.

The PCI service provider engagement process should at a minimum answer: what PCI controls will the service provider be responsible for, how will the service provider validate PCI compliance and what evidence of compliance will they provide, how will breach-notification be managed, and is right-to-audit ensured.

12.8.4 - Maintaining a program to monitor merchant service providers’ PCI compliance status is necessary to validate service providers are complying with the same security controls the merchant is subject to.

PCI service providers can but aren’t required to perform their own PCI assessment with a signed Attestation of Compliance (AOC). If the service provider has an AOC, the merchant should validate the services they’re receiving were assessed by reviewing part 2 of the AOC. If the service provider doesn’t have an AOC, their services must be assessed as part of each of their merchant’s annual PCI assessments. Monitoring service provider compliance status information can be done by adding onto the list from requirement 12.8.1:

Service Provider Name Service(s) Provided Method of Validation Date of PCI Validation / AOC
Amazon (AWS) Shared hosting provider for public facing ecommerce servers. AOC 6/1/2021
SIEM MSSP Managed SIEM Service provider controls validated during merchant PCI assessment 7/6/2021

12.8.5 - Ideally your service provider has a responsibility matrix that lists each PCI control and if the merchant, the service provider, or both have a role in achieving compliance. If the service provider doesn’t have a matrix, the merchant is responsible for documenting the information themselves.

Compliance with this control can be met by defining that you will document and maintain PCI service provider responsibilities in your vendor management policy and adding onto your list of service providers you’re managing from 12.8.1 and 12.8.4 with information like this:

Service Provider Name Service(s) Provided PCI Requirement Responsibility
Amazon (AWS) Shared hosting provider for public facing ecommerce servers Defined in Amazon services control matrix
SIEM MSSP Managed SIEM SIEM MSSP receives event logs from all CDE systems. SIEM MSSP monitors, maintains, and reviews logs and escalates anomalies in accordance with PCI controls 10.5-10.7


Vendor management is a complex and extensive topic reaching far beyond PCI compliance, but if a policy and process are defined early on by merchants, the controls in 12.8 can be met without consuming much time or resources.

Compass IT Compliance works with a number of organizations to ensure PCI DSS compliance through the following services:

We were among the first organizations in the country to achieve Qualified Security Assessor (QSA) status. Our QSA-certified auditors are experts at evaluating how an organization processes, transmits, and stores card holder data and makes best-practice recommendations to help ensure compliance with the most current version of the PCI Data Security Standards. Compass IT Compliance has the knowledge, tools, and experience to tailor the right approach for your business and achieve compliance with all PCI DSS requirements. Contact us today to learn more and discuss your unique situation!

You May Also Like

These Stories on Vendor Management

Subscribe by Email

No Comments Yet

Let us know what you think