CONTINUE TO SITE »
or wait 15 seconds

News

New PCI SSC guide recommends measures for third-party security assurance

The PCI Security Standards Council guide can help organizations and their business partners better understand their respective roles in securing card data.

August 11, 2014

According to a 2013 study by the Ponemon Institute, the leading mistake organizations make when entrusting sensitive and confidential consumer information to third-party vendors is not applying the same level of rigor to information security in vendor networks as they do in their own.

In response to the third-party threat, the PCI Security Standards Council has published a guide to help organizations and their business partners reduce risk by better understanding their respective roles in securing card data.

Developed by a PCI Special Interest Group — including merchants, banks and third-party service providers — the document provides recommendations for meeting PCI Data Security Standard requirement 12.8 to ensure that payment data and systems entrusted to third parties are maintained in a secure and compliant manner.

The Third-Party Security Assurance Information Supplement provides guidance practical recommendations to help businesses and their partners protect data, including:

  • Conduct due diligence and risk assessment when engaging third party service providers to help organizations understand the services provided and how PCI DSS requirements will be met for those services.
  • Implement a consistent process for engaging third-parties that includes setting expectations, establishing a communication plan, and mapping third-party services and responsibilities to applicable PCI DSS requirements.
  • Develop appropriate agreements, policies and procedures with third-party service providers that include considerations for the most common issues that arise in this type of relationship.
  • Implement an ongoing process for maintaining and managing third-party relationships throughout the lifetime of the engagement, including the development of a robust monitoring program.

The guidance includes high-level suggestions and discussion points for clarifying how responsibilities for PCI DSS requirements may be shared between an entity and its third-party service provider, as well as a sample PCI DSS responsibility matrix that can assist in determining who will be responsible for each specific control area.

As part of its initial proposal, the group also made specific recommendations that were incorporated into PCI DSS requirements 12.8 and 12.9 in version 3.0 of the standard.

“One of the big focus areas in PCI DSS 3.0 is security as a shared responsibility,” said Bob Russo, PCI SSC General Manager. “This guidance is an excellent companion document to the standard in helping merchants and their business partners work together to protect consumers’ valuable payment information.”

The Third-Party Security Assurance Information Supplement is available for download at the PCI SSC website.

As with all PCI Council information supplements, the guidance provided in this document is supplemental and does not supersede or replace any PCI DSS requirements.

Related Media

Security
Examining biggest ATM security issues and 4 strategies to prevent them
Security
Banking privacy: 5 benefits for banks, customers
Security
Protecting an ATM's hardware, software by slowing down criminals
On-Demand Webinar
A Masterclass in ATM Security: Global Best Practices and Trends
Presented by Diebold Nixdorf
Recent Posts
UC Berkeley selects BMO as official bank
Chime intros card with 1.5% cashback
TD Bank bringing dog treat ATMs to 14 locations
Coinbase fights back against bank's claim of stablecoin deposit erosion
Diebold Nixdorf named one of Time's World's Best Companies


©2025 Networld Media Group, LLC. All rights reserved.
b'S2-NEW'