Navigating the complexities of PCI DSS compliance can be challenging, especially when it comes to understanding the role of Third Party Service Providers (TPSPs). We spoke to our PCI DSS experts to clarify what a TPSP is and their requirements under PCI DSS.
The difference between Merchants and Service Providers
Companies that are in-scope for PCI DSS compliance can be categorised as Merchants and Service Providers.
Merchants: These are businesses that accept payment cards bearing the logo of payment brands, such as Visa and Mastercard, as a method of payment for goods and services provided.
Service Providers (TPSPs): These support and provide a service to other Merchants which has an impact on their payment card data security.
However, the same company can actually be both if they fulfil both functions. An example might be a Data Centre hosting a customer’s IT environment. The customer may be including cardholder data in these systems so from a hosting perspective the Data Centre company are a TPSP. They may also be a merchant if they accept card payments for their hosting services.
Read more: PCI DSS: A terminology and acronym minefield
Common misunderstandings about TPSPs
When carrying out PCI DSS assessments, our QSAs frequently navigate through a range of client misinterpretations and uncertainty on the subject of TPSPs.
This is often centred around the requirements in 12.8 which are all about managing the Merchant / TPSP business relationships. For example, 12.8.4 stipulates that a process must be in place to monitor the PCI DSS compliance status of each in-scope service provider on at least an annual basis. However, many TPSPs mistakenly believe that if they don’t directly handle cardholder data, they don’t need to comply with PCI DSS.
A typical response from in-scope TPSPs which are not an obvious payment gateway provider is “we don’t handle cardholder data, so we don’t need to be included in this” and “we are not a PCI DSS service provider”.
This is directly at odds with the guidance provided by the PCI Security Standards Council (SSC). So, what is the real story?
Clarifying TPSP roles
There is a very useful Glossary of Terms included in the PCI DSS standard itself as well as information supplements such as Third-Party Security Assurance available in the SSC’s online Document Library. Here, it states that TPSPs aren’t just companies that process, store, or transmit cardholder data. They also include companies that provide services that could control or impact the security of cardholder data.
Some examples of TPSPs (not intended to be an all-inclusive list) are:
- Payment gateway services;
- Infrastructure / data centre hosts;
- Managed firewall administrators;
- Monitoring services for critical alerts, such as SOC-provision;
- Companies providing secure destruction of electronic or physical media;
- Providers of software development;
- Web site hosts;
- Entities providing call centre and customer contact services;
- Point-of-sale companies or integrators involved with installations and maintenance of equipment;
- Fraud verification or credit reporting services.
It is worth noting that an Acquirer bank is normally not considered to be a service provider for the purposes of Requirements 12.8. Also, where a Telecomms company is providing a communications link, or an Internet Service Provider is providing a ‘pipe’ for internet access, these type of companies are not considered to be a PCI DSS service provider.
We can help you with your PCI DSS compliance
Understanding and managing TPSP compliance can be tricky. That’s where our PCI DSS experts come in. We can help you establish best practice processes for TPSP compliance and assess your TPSP 12.8 requirements as part of a broader PCI DSS gap analysis.
By clearly understanding the role of TPSPs and their compliance requirements, you can ensure better security for your payment card data and maintain PCI DSS compliance more effectively. Get in touch to discuss how we can make your PCI DSS compliance easier.
Insights
PGI joins WeProtect Global Alliance to strengthen the child safety online ecosystem
Protection Group International (PGI) is pleased to announce that it has joined WeProtect Global Alliance to support the creation of a safer online environment for children.
Politics of the absurd - Digital Threat Digest
“As Gregor Samsa awoke one morning from uneasy dreams he found himself transformed in his bed into a gigantic insect”, is how Franz Kafka opens his absurdist short story The Metamorphosis.
The importance of Business as Usual PCI DSS compliance
Achieving PCI DSS compliance is a significant milestone for any entity that handles cardholder data. But! Maintaining that compliance is just as important, because lapsing into non-compliance can lead to substantial financial penalties, increased fees, and a higher risk of data breaches.