make a good business better

Blog Information Security

Print Divider Print Divider Branding

What's New in PCI Version 3.0: Service Providers' Responsibilities

12/10/2014  |  By: Mark Burnette, CPA, CISSP, CISM, CISA, CRISC, CGEIT, ITIL, QSA, Shareholder, Practice Leader of Risk Services


Social Logo Social Logo Social Logo Social Logo

Version 3.0 of the PCI Data Security Standards goes into effect in 2015 – meaning there are only a few weeks to go before it is the sole compliance standard for organizations that process, store, or transmit payment card data. In 2014, merchants could demonstrate compliance against either Version 2.0 or 3.0, but as of January 1, 2015 the new rules will be in effect. And some of the changes mean significant new responsibilities for merchants and the vendors who provide services for them. Previously in this series, we’ve taken a look at new controls surrounding Point of Sale systems and the service providers who interact with those systems. Today we’re going to take a look at two more rules that impact the responsibilities of merchants and their service providers.

Documenting responsibilities

The first rule, Requirement 12.8.5, affects merchants with vendors providing support related to a cardholder data environment. What does that mean, exactly? This is any kind of support for systems on which card data is processed, transmitted, or stored – it could mean hosting services or security services. The rule specifies that a merchant must document in writing the responsibilities of each party as it relates to PCI. In the past, some merchants have had a tendency to say that they’ve outsourced their PCI responsibilities to a given service provider. Now, the Council is clarifying that merchants cannot outsource their PCI obligation in its entirety – but they can outsource elements of the execution. This rule provides guidance for that process. When a merchant outsources an element of their PCI compliance execution, they must now document the responsibilities of each party – vendor and merchant alike. Merchants need to drive this process in order to make sure that all relevant responsibilities are clearly articulated and agreed. This way, there can be no confusion or ambiguity in the event that the merchant is later found to be out of compliance. With clear documentation, a merchant knows exactly what services they are receiving with respect to PCI.

Affirming responsibilities  Another, related rule, Requirement 12.9, specifies that service providers must affirm their responsibility for specific elements of a client’s PCI compliance. This affirmation must be explicit and documented: the vendor is required to submit the acknowledgment in writing. With these two new requirements, the PCI Council hopes to reduce ambiguity around the degree to which service providers may take on merchants’ PCI responsibilities. Since this may require some significant effort on the part of merchants and vendors, these new rules are considered “best practices” until July 1, 2015, at which point they will become full-blown requirements. Organizations with reporting dates before July will not be responsible for these rules until the following year, while those with reporting dates after July will have to demonstrate compliance in 2015. For all merchants, however, it is advisable to nail down your service providers’ responsibilities in writing as soon as possible.

Ready to learn more? Be sure to download the free guide, PCI Compliance Guidelines Explained. On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity. PCI_CTA-1

Posted in: PCI Compliance