- What technology and system components are used by the TPSP for the services?
- Does the TPSP use other third parties?
- What other core processes or services are housed in TPSP facilities?
- How many facilities does the TPSP have where cardholder data will be located?
- Consult with your “acquiring bank”, “merchant bank”, or “acquiring financial institution” (each an “Acquirer”) to ensure the TPSP services are approved.
- Review the participating payment card brand service-provider listings and websites as well as the PCI DSS validation documents.
- Perform a risk assessment on the TPSP based on industry-accepted methodology.
Engaging the TPSP: Implement a process for engaging TPSPs.
- Set forth the expectations of all parties involved and review expectations at least annually so as to keep a consistent and mutually agreed upon mode of operation.
- Assess scope of TPSP’s responsibility and consider including contractual provisions in documents with TPSPs that require evidence sharing.
- Establish a communication schedule so that changes are communicated to the appropriate people in a timely manner.
- Track how the TPSP’s services and products match up with the PCI DSS requirements.
Written Agreements, Policies and Procedures: Once a TPSP is chosen, the entity and the TPSP should formalise the agreement in writing.
- If a TPSP claims its services are PCI DSS Compliant, consider documenting such compliance, the date of compliance assessment and any components that were excluded from the assessment.
- An entity should keep in mind all regional requirements that apply, such as state-specific requirements and all legislative considerations such as definitions of protected information and breach-notification thresholds.
- Review agreements with Acquirers to ensure TPSPs are meeting additional requirements.
- Review compliance programs for each payment card brand to make sure the TPSP is in compliance.
- Keep industry specific regulations in mind.
- Make TPSP aware of the company incident response plan, its requirements and the allocation of responsibility in the case of a suspected data breach.
- Consider what requirements and responsibilities will continue to impact TPSP even after the engagement has formally ended (e.g. if a TPSP continues to store an entity’s cardholder data as part of a backup system).
Monitor Third-Party Service Provider Compliance Status: Develop a robust compliance monitoring program and document it.
- Make sure all resources involved in monitoring understand the scope of the cardholder data environment and establish a deliverable for the TPSP.
- Set forth a procedure for maintaining the TPSP list which includes information such as name and primary points of contact at the TPSP, specific services provided, last date of review, etc.
- Consider including the following in your TPSP monitoring procedure: a list of evidence and supporting documentation that will be collected from the TPSP, a detailed description of the PCI DSS compliance status, a report template, details describing how status review results are to be shared and approved, and policies for retention of monitoring program data.
By properly implementing a BTM GROUP third-party assurance program a company can help ensure that data is kept in a safe and compliant manner.