PCI DSS 3.0 Third Party Management for SMBs

Small and midsize businesses (SMBs) implementing PCI DSS typically do not require a Qualified Security Assessor (QSA), and may either implement these requirements on their own or with the help of a security consultant.

PCI merchants, especially SMBs, outsource frequently and are dependent on external organisations to supply services as part of their e-commerce and information technologies. Managing third parties, or service providers, begins with identification.

Identifying Service Providers

Let’s start with the definition of service providers: “Business entity (other than payment brand) directly involved in the processing, storage, or transmission of cardholder data.” This includes hosted or managed firewalls and intrusion detection systems (IDS), hosted websites, data center providers, payment gateways, outsourced customer service functions, independent sales organisations, and transaction processors.

This list is longer than many merchants had expected in this latest PCI DSs v3.0 version – and that’s the main point. The definition of a Service providers are not limited to organisations with whom CHD is shared, but also any service provider that could affect the security of CHD (e.g., vendor providing physical security of data center).

So for the first time, their is a mandatory requirement for organisations to gain a complete understanding of the CHD flow, from initial processing, to customer service, to storage, to the transmission and physical locations of all of the systems involved. Depending on the complexity of  the organisation’s operation, this can be a somewhat complex task. The first activity to start is with a network diagram and expand to include physical locations and security services. PCI DSS 3.0 requirement 12.8.1 requires that this list be maintained.

Identifying Service Provider Roles

Once SMB merchants have defined the service providers involved in their Cardholder Data Environment (CDE), they must next identify the specific roles and responsibilities of the service provider. It is imperative to not assume that this is the role and responsibility of the service provider. For example, do not assume that your hosted data center updates your network diagram (Requirements 1.1.2, 1.1.3), sets appropriate firewall rules to restrict access (Requirement 1.2), or ensures that only one primary function is implemented per server (Requirement 2.2.1). PCI DSS 3.0 specifically calls for the development and maintenance of a responsibilities matrix (RACI) for each service provider. Many service providers have these matrices available to describe their standard service to PCI merchants. To obtain one, ask for the “PCI Responsibilities Matrix”; if yours does not know what you are talking about, it may be time to look for a new service provider.

SMBs need to ensure such a matrix is in place for each service provider and that these matrices have been signed as part of the contractual agreement. Requirement 12.8.2 specifies that a written agreement must be in place that acknowledges the responsibilities of the service providers.

Managing Service Provider Roles

Once an understanding of the various PCI roles and responsibilities have been established and documented, the organisation now must implement an assurance function to ensure that this information remains accurate. This means determining the service provider’s ability to implement their responsibilities (i.e., due diligence) and (at least) annually reviewing the compliance status and contracts with each service provider.


You cannot simply outsource responsibility for the latest PCI compliance standard which is now in effct. If you have a merchant ID, then you must comply with PCI. PCI DSS 3.0 has strengthened the requirements around the understanding of separating roles and responsibilities between the merchant and the service provider, and SMBs especially need to take note of their current approach to managing their service providers. BTM GROUP assurance services offers fast and cost effective solution for SMBs in managing your third party PCI compliance responsibilities on an ongoing basis.



No Comments Yet.

Leave a comment