United States

PCI 3.X and vendor management: New standards require more vendor oversight


Download white paper

The relationship between business partners that share sensitive data is changing, as information now has as much value as currency. Simply granting network access increases the risk of a data breach, demonstrated by high-profile incidents with third-party vendors gaining access to, and exploiting information. To help increase data security, the Payment Card Industry (PCI) Security Standards Council (SSC) introduced new vendor management guidelines in version 3.X of the PCI Data Security Standard (DSS).

Under PCI DSS 2.0, vendor management was addressed in Requirement 12.8, which was essentially a paper requirement. Merchants only had to provide documentation that a vendor management program was in place and reviewed annually. However, PCI DSS 3.X considerably strengthens requirements for managing relationships with third-party vendors that handle cardholder data.

The two main vendor management guidelines in PCI DSS 3.X are Requirements 12.8.5 and 12.9:

  • Requirement 12.8.5 requires merchants to identify which PCI requirement is handled by the merchant and which is enforced by the service provider for each vendor.
  • Requirement 12.9 makes vendor management a two-way street, calling on service providers to provide agreements to merchants, similar to those in Requirement 12.8.5.   

PCI DSS 3.X goes beyond written agreements, requiring clarification into responsibilities, details into how third parties are meeting requirements and additional documentation from service providers. The new guidelines help to actually verify vendor compliance with PCI requirements and strengthen controls to protect sensitive data.  


How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.

Rapid Assessment®

Complete our Rapid Assessment form to be contacted about receiving our "quick-hit" diagnostic of your critical areas of operations.




AML and regulatory compliance webcast series: Winter 2018

  • February 13, 2018


Cybersecurity risks for employee benefit plans

  • January 11, 2018


Understanding cybersecurity and operational risks of cryptocurrency

  • November 09, 2017


Cybersecurity best practices and considerations for the public sector

  • October 26, 2017


Learn the real cost of a data breach

  • October 17, 2017