United States

PCI 3.X and vendor management: New standards require more vendor oversight


Download white paper

The relationship between business partners that share sensitive data is changing, as information now has as much value as currency. Simply granting network access increases the risk of a data breach, demonstrated by high-profile incidents with third-party vendors gaining access to, and exploiting information. To help increase data security, the Payment Card Industry (PCI) Security Standards Council (SSC) introduced new vendor management guidelines in version 3.X of the PCI Data Security Standard (DSS).

Under PCI DSS 2.0, vendor management was addressed in Requirement 12.8, which was essentially a paper requirement. Merchants only had to provide documentation that a vendor management program was in place and reviewed annually. However, PCI DSS 3.X considerably strengthens requirements for managing relationships with third-party vendors that handle cardholder data.

The two main vendor management guidelines in PCI DSS 3.X are Requirements 12.8.5 and 12.9:

  • Requirement 12.8.5 requires merchants to identify which PCI requirement is handled by the merchant and which is enforced by the service provider for each vendor.
  • Requirement 12.9 makes vendor management a two-way street, calling on service providers to provide agreements to merchants, similar to those in Requirement 12.8.5.   

PCI DSS 3.X goes beyond written agreements, requiring clarification into responsibilities, details into how third parties are meeting requirements and additional documentation from service providers. The new guidelines help to actually verify vendor compliance with PCI requirements and strengthen controls to protect sensitive data.  


How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.

Rapid Assessment®

Complete our Rapid Assessment form to be contacted about receiving our "quick-hit" diagnostic of your critical areas of operations.




ERP implementation risks and their impact on your organization

  • March 29, 2017


2017 cybersecurity outlook and key considerations for nonprofits

  • January 31, 2017


2017 economic and risk outlook

  • January 09, 2017


AML and regulatory compliance webcast series—Fall 2016

  • December 15, 2016


PCI DSS 3.2—What’s next?

  • December 08, 2016