The Role of Third-Party Service Providers (TPSPs) in PCI DSS Compliance
Aiming to clarify the often vague requirements of the Payment Card Industry Data Security Standard (PCI DSS), the PCI Security Standards Council (PCI SSC) regularly adds to its list of frequently asked questions with guidance to help organizations understand their obligations for compliance.
In a recent FAQ, the PCI SSC explained the role of third-party service providers (TPSPs) in demonstrating PCI DSS compliance to customers.
Here’s what vendors and customers need to know.
What is a Third-Party Service Provider?
The PCI SSC defines a TPSP as an organization that is not a payment card brand but is “directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity.” This can include customer service services and call centers, fraud verification services, credit reporting services, collection agencies, e-commerce payment providers, and more.
According to guidance from the PCI SSC, “entities can use a TPSP to store, process, or transmit cardholder data on the entity’s behalf, or to manage components of the entity’s cardholder data environment (CDE), such as routers, firewalls, databases, physical security, and/or servers.”
Because of the integral role they can play in managing and securing an organization’s CDE, TPSPs often impact an entity’s PCI DSS compliance. For this reason, the PCI SSC advises that entities establish “clear policies and procedures” for managing and reporting on PCI DSS requirements as part of the entity’s broader third-party risk management program.
“This includes performing due diligence, having appropriate agreements in place, identifying which requirements apply to the customer and which apply to the TPSP, and monitoring the compliance status of TPSPs at least annually,” the PCI SSC notes. “[I]f a TPSP provides a service that meets a PCI DSS requirement(s) on behalf of the customer, then those requirements are in scope for the customer’s [PCI DSS] assessment.”
What to Know: For TPSPs
Any organization that stores, processes, transmits, or interacts with payment card data must comply with PCI DSS. This includes vendors that provide third-party services to other businesses.
According to the PCI SSC, TPSPs must provide evidence to their customers that they are compliant with applicable PCI DSS requirements. There are two ways to do this.
With PCI DSS Assessment
The first way is for vendors to undergo their own PCI DSS assessment by a PCI DSS qualified security assessor (QSA). As a service provider, if you choose to go this route, you must provide sufficient evidence to your customers that (1) the scope of your PCI DSS assessment covered the services you provide to them, and (2) that your QSA examined those services against PCI DSS requirements and determined that you are compliant.
In these cases, you are also expected to provide your PCI DSS Attestation of Compliance (AOC) to customers upon request. Notably, TPSPs cannot just provide a simplified or limited security checklist—like an SAQ A—in lieu of an AOC and call it sufficient proof. Your proof must demonstrate compliance with all the necessary, broader PCI DSS rules that apply to the services you are offering the customer.
Without PCI DSS Assessment
The second way applies if you have not undergone an independent PCI DSS assessment. In this case, you must provide customers with specific evidence related to PCI DSS requirements that apply to your organization and its services. This will allow your customer—or their PCI DSS assessor—to determine whether you are compliant. This is a much more involved process for the customer. For TPSPs aiming to reduce friction or delays in the sales cycle, completing a full PCI DSS assessment is often the better option.
What to Know: For Customers of TPSPs
For businesses planning to enlist the services of a third-party vendor that interacts with payment card data, it’s important to do your own due diligence to ensure their compliance with PCI DSS requirements.
If you’re working with a TPSP that has completed a PCI DSS assessment and provided you with their AOC, you must ensure that the scope of their assessment actually covered the services that you are using.
If your vendor has not undergone their own PCI DSS assessment, you should ask for specific evidence that they meet the necessary security standards for handling payment card data and thoroughly review that information to ensure their compliance. You may also need to provide this evidence to your own auditors as part of external compliance assessments.
These steps should be completed as part of the vendor onboarding process, but the work doesn’t stop there. For businesses across industries, effectively managing third-party risk should be a top priority. In 2024, nearly one-third (30%) of data breaches involved a third party—twice as much as the year prior, according to Verizon’s latest Data Breach Investigations Report (DBIR). Continuous monitoring of vendors is a key part of mitigating the risks they pose to your organization.
The Bottom Line
In sum, third-party service providers who touch credit card data or affect its security must show their customers that they are compliant with PCI DSS, whether it’s by providing their AOC or handing over a stack of proof that shows they’re adhering to the standard’s strict rules for payment card data security.
This not only satisfies the requirements of PCI DSS, but also helps build trust between vendors and the businesses they serve.
Need help navigating PCI DSS compliance? Contact our expert team today.