United States

PCI 3.X and vendor management: New standards require more vendor oversight


Download white paper

The relationship between business partners that share sensitive data is changing, as information now has as much value as currency. Simply granting network access increases the risk of a data breach, demonstrated by high-profile incidents with third-party vendors gaining access to, and exploiting information. To help increase data security, the Payment Card Industry (PCI) Security Standards Council (SSC) introduced new vendor management guidelines in version 3.X of the PCI Data Security Standard (DSS).

Under PCI DSS 2.0, vendor management was addressed in Requirement 12.8, which was essentially a paper requirement. Merchants only had to provide documentation that a vendor management program was in place and reviewed annually. However, PCI DSS 3.X considerably strengthens requirements for managing relationships with third-party vendors that handle cardholder data.

The two main vendor management guidelines in PCI DSS 3.X are Requirements 12.8.5 and 12.9:

  • Requirement 12.8.5 requires merchants to identify which PCI requirement is handled by the merchant and which is enforced by the service provider for each vendor.
  • Requirement 12.9 makes vendor management a two-way street, calling on service providers to provide agreements to merchants, similar to those in Requirement 12.8.5.   

PCI DSS 3.X goes beyond written agreements, requiring clarification into responsibilities, details into how third parties are meeting requirements and additional documentation from service providers. The new guidelines help to actually verify vendor compliance with PCI requirements and strengthen controls to protect sensitive data.  


How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.

Receive Risk Bulletin by Email


Cybersecurity Rapid Assessment®

Complete our Cybersecurity Rapid Assessment form to be contacted about receiving our "quick-hit" evaluation of your organization’s overall security risk.




Case Studies

COSO Resource Center

Consulting Careers



Trending risk concerns for business leaders in 2020

  • February 12, 2020


On the Sarbanes-Oxley radar

  • January 20, 2020