As our discussion on PCI 3.0 continues, today we’re going to talk about your relationships with your third party providers – how 3.0 affects them, the kind of provider you should be working with and exactly what is and isn’t in scope when it comes to service providers.
The right provider can make all the difference, lightening your burden and helping you experience smoother, faster audits. So let’s start by looking at what PCI 3.0 has to say about third party providers.
Who’s in Scope
Per the regulations, compliance validation must be performed on all system components in the cardholder data environment (CDE). Anyone with access to or providing services that can impact the security of your CDE is in scope. That doesn’t just mean your own staff and technology – it includes all third-party service providers, from hosting providers to managed security service providers to contractors.
A word of advice: don’t ever assume your provider is taking care of compliance regulations on their end. If something goes wrong, it’ll be you failing the audit and paying the fine – and that makes it your responsibility to make sure your providers are compliant.
If you take a look at PCI 3.0, you’ll see the regulations focus on the need for clear communication. Providers must offer complete transparency on the division of compliance responsibilities – and that’s a good thing, as it will help make the provider evaluation process a little easier and keep organizations informed of their own compliance status.
On your end, that means you’ll need to identify who’s responsible for which components and requirements. These divisions must be clearly documented, as well. For example, a managed hosting provider should clearly define which of their IP addresses are scanned as part of their quarterly vulnerability scan process and which IP addresses should be included in the customer’s quarterly scans. Once again, don’t make any assumptions – 3.0 specifically requests that customers and providers spell out all responsibilities in contracts, whether it’s an MOU (memorandum of understanding), SLA (service level agreement) or Terms of Service contract.
Making the right choice
The truth is that the new 3.0 guidelines can help organizations find the right provider for their particular business. Obviously the need for transparency and communication will go far in helping you understand what each provider brings to the table. But you’ll still need to decide between service providers who undergo their own PCI DSS assessments and providers who simply have their services reviewed during the customer’s audit.
My guidance on this: you’d be wise to work with validated providers who successfully pass their own assessments and can show you proof of their compliance. Make sure the evidence verifies that their assessments cover the services relevant to your needs – and once again, all of this should be documented in your agreements.