One of the more lively discussions at our past PCI Dream Team session involved a discussion of requirement 12.8 and third party management (i.e., service providers). What got the discussion started was when Art (Coop) Cooper made the comment that only SAQ A states that all third parties must be PCI compliant. All of the other SAQs and even the ROC does not state that third parties need to be PCI compliant.
All of this is very true and has been this way since the beginning of the PCI DSS.
But … That is not the whole story.
In this instance, the PCI DSS is not the only game in town.
People forget that Visa, Mastercard, Discover, American Express and JCB (aka “The Brands”) still have their own security programs and requirements in addition to the PCI DSS. Some of these requirements are in their Operating Rules or similar documents. In this case, Visa, Mastercard and Discover all require that service providers be PCI compliant as defined on their respective Web sites. In the case of Visa and Mastercard, they maintain lists of PCI compliant service providers. That said, those lists are marketing ploys that generate revenue for Visa and Mastercard as those service providers listed pay them to be on those lists.
While Coop’s statement is accurate that the PCI DSS does not require service providers to be PCI compliant, it is shortsighted. The Brands do require service providers to be PCI compliant and will enforce it through the merchant agreement/contract all organizations sign in order to accept those cards for payment.
The bottom line is that, if any service provider can provide you a current PCI Service Provider Attestation Of Compliance (AOC), you can use their services and comply with the Visa, Mastercard and Discover contracts.
Coop also stated that he has never seen the Brands enforce the contractual obligation when reviewing organizations’ ROCs and SAQs. That is also a true statement but again not the complete story. Based on what I have been told by lawyers that have been involved in breach litigation, it is the merchant agreement/contract that is used to hold breached merchants legally responsible and enforce fines, not PCI compliance or what is in any PCI document. The PCI documents are used to influence fines and penalties, but the actual enforcement is through the contracts with the Brands. If it is found that an organization was using non-PCI compliant service providers that just adds fuel to the fire.
As famous radio personality Paul Harvey used to say, “And that, is the rest of the story.”
The post 'The PCI DSS Is Not The Only Relevant Payment Security Standard' was first published by PCI Guru.