Blog

Merchants: Know Your Service Providers!

Date published:

Feb 6, 2022

VikingCloud Team

SHARE ON
SHARE ON

Know Your Customer

There’s an acronym we use in the payments industry: KYC. With KYC, which is Know Your Customer, we’re referring to ISOs’ and acquirers’ need to know the type of business each of their merchants conducts. If due diligence for KYC doesn’t take place, the ISO/acquirer could inadvertently be facilitating money laundering or a number of other illegal activities.

I’d like to suggest a new acronym to go along with the PCI 3.0 SAQs: KYSP or Know Your Service Provider.

As an owner of a business that is subject to the PCI DSS, you must be fully aware of not only who your service providers are, but how they can impact the security of your customers’ credit and debit card information.

Specifically, you should be able to list each of your business’s service providers, affirm the services they provide, and confirm that each provider listed is, in fact, PCI compliant as is required by the PCI DSS.

The PCI Security Standards Council (SSC) takes this topic very seriously. In fact, they formed a related special interest group which just today released Third-Party Security Assurance Guidance.

What is a Service Provider?

The SSC has defined the service provider as follows: A service provider is any “business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data.”

Some common examples of service providers include:

• Independent Sales Organizations (ISOs)

• Transaction processors

• Payment gateways

• Web hosting companies

• Managed Security Services Providers (MSSPs)

• Third party marketing firms

• Vendors that perform POS maintenance

It’s important to keep in mind that while a service provider may not directly interact with your customers’ card data, their activity can affect the security of that data. For example, an MSSP who manages your firewall can affect the security of your card data because they manage your network segmentation.

What’s Required for PCI 3.0?

Requirements related to service providers are listed in section 12 of PCI DSS v3.0. All of the requirements in v2.0 have been carried over (and in many cases clarified) for v3.0. In addition, there are three new requirements for the merchant:

• 12.4.1: Information security responsibilities must be assigned such that separation of duties for security functions is maintained.

• 12.8.2: Maintain a written agreement that includes an acknowledgement that the service providers will maintain all applicable PCI DSS requirements to the extent the service provider handles, has access to, or otherwise stores, processes, or transmits the customer’s cardholder data or sensitive authentication data, or manages the customer’s cardholder data environment on behalf of a customer.

• 12.8.5: Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.

Here is the related question as it will appear in all v3.0 Self-Assessment Questionnaires (SAQs): “Does your company share cardholder data with any third-party service providers (for example, gateways, payment processors, payment service providers (PSP), web-hosting companies, airline booking agents, loyalty program agents, etc.)?”

If your answer is “Yes,” then you will be asked to provide the “Name of service provider” and “Description of services provided” for each of your business’s service providers. You will also be asked the following: “Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity?”

The “entity” here is your business and in essence, the PCI DSS requires that you have a written agreement with all of your business’s service providers. This agreement should include specifics on who is responsible for meeting each PCI requirement for which your business is in scope.

For their part, ISOs and acquirers are telling us that they’re receiving increasing pressure from the payment card brands (Visa, MasterCard, AMEX, Etc.) to advise them of the service providers their merchants are using. Within the Visa system, ISOs and acquirers are encouraged to “register” their merchants’ service providers.

How can you get started?

Now is a perfect time to begin documenting your service providers in preparation for your business’s annual PCI self-assessment:

1. Identify and list each of your business’s service providers;

2. Understand and document the ways in which their activity can influence card data security; and

3. Establish trusted points of contact with each firm and store written agreements in a common place.

Want to learn more about PCI compliance and service providers?

Contact us to learn more about how VikingCloud can help.

SHARE ON

Related Blogs

Stay up-to-date on the latest happenings in Cybersecurity and PCI Compliance.
View all blogs
Blog
Sep 19, 2024
What is Automated Penetration Testing?
Blog
Sep 12, 2024
ISO 27000 Family Standards
Blog
Sep 6, 2024
What is ISO 27001?
Andrea Sugden
Chief Sales and Customer Relationship Officer
Let’s Talk
To get started with a VikingCloud cybersecurity and compliance assessment, email, call or click:
Contact Us
Connect with us:
Stay in the know
Get VikingCloud Resources, News, & Views delivered straight to your inbox.
Solutions
Cybersecurity
Compliance & Risk
Security Testing
Asgard Platform
Why AsgardTourTechnology
About Us
Why VikingCloudLeadershipJoin Our TeamNews & Media
Resources
BlogEventsReports & White PapersWebinarsCase StudiesPress & NewsVlogsVideosInfographicsProduct DatasheetsCybersecurity GlossaryMedia Kit
Login
Asgard PlatformMyVikingCloudDigital Certificates Control CenterWeb Risk Monitoring
Contact
Contact Us24x7 Support
©2024 Viking Cloud, Inc. or its affiliates.