United States

PCI 3.X and vendor management: New standards require more vendor oversight

WHITE PAPER  | 

Download white paper

The relationship between business partners that share sensitive data is changing, as information now has as much value as currency. Simply granting network access increases the risk of a data breach, demonstrated by high-profile incidents with third-party vendors gaining access to, and exploiting information. To help increase data security, the Payment Card Industry (PCI) Security Standards Council (SSC) introduced new vendor management guidelines in version 3.X of the PCI Data Security Standard (DSS).

Under PCI DSS 2.0, vendor management was addressed in Requirement 12.8, which was essentially a paper requirement. Merchants only had to provide documentation that a vendor management program was in place and reviewed annually. However, PCI DSS 3.X considerably strengthens requirements for managing relationships with third-party vendors that handle cardholder data.

The two main vendor management guidelines in PCI DSS 3.X are Requirements 12.8.5 and 12.9:

  • Requirement 12.8.5 requires merchants to identify which PCI requirement is handled by the merchant and which is enforced by the service provider for each vendor.
  • Requirement 12.9 makes vendor management a two-way street, calling on service providers to provide agreements to merchants, similar to those in Requirement 12.8.5.   

PCI DSS 3.X goes beyond written agreements, requiring clarification into responsibilities, details into how third parties are meeting requirements and additional documentation from service providers. The new guidelines help to actually verify vendor compliance with PCI requirements and strengthen controls to protect sensitive data.  

AUTHORS


How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.


Rapid Assessment®

Complete our Rapid Assessment form to be contacted about receiving our "quick-hit" diagnostic of your critical areas of operations.

LEARN MORE



Events/Webcasts

LIVE WEBCAST

AML and regulatory compliance webcast series—Fall 2016

  • December 15, 2016

LIVE WEBCAST

PCI DSS 3.2—What’s next?

  • December 08, 2016

IN-PERSON EVENT

RSM Raleigh Technology Conference

  • October 26, 2016

IN-PERSON EVENT

Emerging risks seminar: 2016 cybersecurity executive forum

  • October 11, 2016

IN-PERSON EVENT

RSM’s 40th Annual National Credit Union Conference

  • October 06, 2016