The three constraints on Influence Operations - Digital Threat Digest
![Double circle designs part4](https://pgi.imgix.net/assets/uploads/images/Blog-posts/Double-circle-designs-part4.png?auto=compress%2Cformat&fit=crop&fm=webp&h=349&ixlib=php-3.1.0&upscale&w=349&tone=light)
Navigating the complexities of PCI DSS compliance can be challenging, especially when it comes to understanding the role of Third Party Service Providers (TPSPs). We spoke to our PCI DSS experts to clarify what a TPSP is and their requirements under PCI DSS.
Companies that are in-scope for PCI DSS compliance can be categorised as Merchants and Service Providers.
Merchants: These are businesses that accept payment cards bearing the logo of payment brands, such as Visa and Mastercard, as a method of payment for goods and services provided.
Service Providers (TPSPs): These support and provide a service to other Merchants which has an impact on their payment card data security.
However, the same company can actually be both if they fulfil both functions. An example might be a Data Centre hosting a customer’s IT environment. The customer may be including cardholder data in these systems so from a hosting perspective the Data Centre company are a TPSP. They may also be a merchant if they accept card payments for their hosting services.
Read more: PCI DSS: A terminology and acronym minefield
When carrying out PCI DSS assessments, our QSAs frequently navigate through a range of client misinterpretations and uncertainty on the subject of TPSPs.
This is often centred around the requirements in 12.8 which are all about managing the Merchant / TPSP business relationships. For example, 12.8.4 stipulates that a process must be in place to monitor the PCI DSS compliance status of each in-scope service provider on at least an annual basis. However, many TPSPs mistakenly believe that if they don’t directly handle cardholder data, they don’t need to comply with PCI DSS.
A typical response from in-scope TPSPs which are not an obvious payment gateway provider is “we don’t handle cardholder data, so we don’t need to be included in this” and “we are not a PCI DSS service provider”.
This is directly at odds with the guidance provided by the PCI Security Standards Council (SSC). So, what is the real story?
There is a very useful Glossary of Terms included in the PCI DSS standard itself as well as information supplements such as Third-Party Security Assurance available in the SSC’s online Document Library. Here, it states that TPSPs aren’t just companies that process, store, or transmit cardholder data. They also include companies that provide services that could control or impact the security of cardholder data.
Some examples of TPSPs (not intended to be an all-inclusive list) are:
It is worth noting that an Acquirer bank is normally not considered to be a service provider for the purposes of Requirements 12.8. Also, where a Telecomms company is providing a communications link, or an Internet Service Provider is providing a ‘pipe’ for internet access, these type of companies are not considered to be a PCI DSS service provider.
Understanding and managing TPSP compliance can be tricky. That’s where our PCI DSS experts come in. We can help you establish best practice processes for TPSP compliance and assess your TPSP 12.8 requirements as part of a broader PCI DSS gap analysis.
By clearly understanding the role of TPSPs and their compliance requirements, you can ensure better security for your payment card data and maintain PCI DSS compliance more effectively. Get in touch to discuss how we can make your PCI DSS compliance easier.
As I waited for my flight to be rescheduled during last week’s IT outage, I listened to fellow passengers wonder aloud how a company whose name has never hit their radar could have such an impact on such a spectrum of day-to-day matters.
If you don’t know who Nara Smith is, I’m sorry to say you may just be living under a rock. Nara Smith has simply taken over my Instagram and TikTok feed with her ‘what I cooked for my husband today’, ‘what my toddlers ate today’ or my favourite video format, ‘my husband was craving [insert insane request] so I made it from scratch’.
Explaining how digital incidents severely impact the real world can be difficult, but we are increasingly seeing cyber incidents that illustrate how malicious actors can impact our daily lives.