PCI 3.X and vendor management: New standards require more vendor oversight
WHITE PAPER |
The relationship between business partners that share sensitive data is changing, as information now has as much value as currency. Simply granting network access increases the risk of a data breach, demonstrated by high-profile incidents with third-party vendors gaining access to, and exploiting information. To help increase data security, the Payment Card Industry (PCI) Security Standards Council (SSC) introduced new vendor management guidelines in version 3.X of the PCI Data Security Standard (DSS).
Under PCI DSS 2.0, vendor management was addressed in Requirement 12.8, which was essentially a paper requirement. Merchants only had to provide documentation that a vendor management program was in place and reviewed annually. However, PCI DSS 3.X considerably strengthens requirements for managing relationships with third-party vendors that handle cardholder data.
The two main vendor management guidelines in PCI DSS 3.X are Requirements 12.8.5 and 12.9:
- Requirement 12.8.5 requires merchants to identify which PCI requirement is handled by the merchant and which is enforced by the service provider for each vendor.
- Requirement 12.9 makes vendor management a two-way street, calling on service providers to provide agreements to merchants, similar to those in Requirement 12.8.5.
PCI DSS 3.X goes beyond written agreements, requiring clarification into responsibilities, details into how third parties are meeting requirements and additional documentation from service providers. The new guidelines help to actually verify vendor compliance with PCI requirements and strengthen controls to protect sensitive data.