Vendor Management In PCI v3

By - June 23, 2015

The relationship between business partners that share sensitive data is changing, as information now has as much value as currency. Simply granting network access increases the risk of a data breach. As demonstrated by several high-profile incidents, third-party vendors are being used to gain access to, and steal information. To help increase data security, the Payment Card Industry Security Standards Council (PCI SSC) introduced new vendor management guidelines in version 3.X of the PCI Data Security Standard (PCI DSS).

Under PCI DSS 2.0, vendor management was addressed in Requirement 12.8, which was essentially a paper requirement. Merchants only had to provide documentation that a vendor management program was in place and reviewed annually. However, PCI DSS 3.X considerably strengthens requirements for managing relationships with third-party vendors that handle or could get access to cardholder data.

The two main updated vendor management guidelines in PCI DSS 3.X are Requirements 12.8.5 and 12.9:
• Requirement 12.8.5 requires merchants to identify which PCI requirement is handled by the merchant and which is enforced by the service provider for each vendor.
• Requirement 12.9 makes vendor management a two-way street, calling on service providers to provide agreements to merchants, similar to those in Requirement 12.8.5.

PCI DSS 3.X goes beyond written agreements. It requires clarification into responsibilities, details into how third parties are meeting requirements for their merchants and communication and documentation between service providers and merchants to ensure all parties know what their responsibilities are for protected cardholder data. The new guidelines help to actually verify vendor compliance with PCI requirements and strengthen controls to protect sensitive data

For further information on this topic, download the following whitepaper to learn more about new standards that require more vendor management oversight.

Also, Join us on June 25 for insights on the notable requirements and clarifications that have been introduced in PCI DSS 3.0 and 3.1. Register today.


Leave a Reply

Your email address will not be published. Required fields are marked *

Receive Posts by Email

Subscribe to the Management Consulting blog and receive notifications of new posts by email.