I got a comment a while back about contracts and PCI compliance. The two requirements that are relevant in this discuss are 12.8.2 and 12.9. Requirement 12.8.2 is for all organizations (merchants and service providers) that are being assessed under the PCI DSS. Requirement 12.9 is only for service providers.
As usual, the clarifications surrounding these requirements were all provided verbally over the years at various PCI Community Meeting presentations and Q&A sessions. But the overall gist of these requirements can be readily determined. It just takes a little bit of effort and looking at more than just the PCI DSS.
Requirement 12.8.2 states:
“Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.
Note: The exact wording of an acknowledgement will depend on the agreement between the two parties, the details of the service being provided, and the responsibilities assigned to each party. The acknowledgement does not have to include the exact wording provided in this requirement.”
The Guidance provided for 12.8.2 states:
“The acknowledgement of the service providers evidences their commitment to maintaining proper security of cardholder data that it obtains from its clients. The extent to which the service provider is responsible for the security of cardholder data will depend on the particular service and the agreement between the provider and assessed entity.
In conjunction with Requirement 12.9, this requirement is intended to promote a consistent level of understanding between parties about their applicable PCI DSS responsibilities. For example, the agreement may include the applicable PCI DSS requirements to be maintained as part of the provided service.”
If things are still not clear enough, it helps to look at the ROC Reporting Template to get clarification. The tests being conducted for a given requirement usually clear up any confusion regarding what is being expected. There is only one test for 12.8.2 and it states:
“Describe how written agreements for each service provider were observed to include an acknowledgement by service providers that they will maintain all applicable PCI DSS requirements to the extent the service provider handles, has access to, or otherwise stores, processes, or transmits the customer’s cardholder data or sensitive authentication data, or manages the customer’s cardholder data environment on behalf of a customer.”
The first thing to notice in all of these discussions is that nothing in the PCI DSS states that any organization is required to work with a PCI compliant third party. None of the requirements in 12.8 specify that an Attestation Of Compliance (AOC) be provided. A lot of QSAs will argue that requirement 12.8.4 requires it, but if you read the test:
“Describe how it was observed that the entity maintains a program to monitor its service providers’ PCI DSS compliance status at least annually.”
There is nothing in that test that explicitly mandates that an AOC is required to monitor third parties. Granted an AOC is the easiest way to monitor service provider compliance, but there is nothing explicitly calling it out in this test.
So where does this “requirement” originate? It comes from the merchant agreements with the card brands, specifically Visa and MasterCard. They require that their merchants only work with third parties that are PCI compliant and can prove that compliance with a Service Provider AOC. This is why it is important to read and understand the brands’ merchant agreements and their own security programs. There are a number of key “requirements” that come from those documents that are just as important as what is in the PCI DSS. So, read them as well as all of the PCI documents.
Getting back to the PCI DSS, what the Council wants QSAs and ISAs to look for in contracts, master service agreements, addendums and any other legal documents that describe the parties’ legal relationship is some sort of acknowledgement between all parties that they will abide by the PCI DSS and ensure that sensitive authentication data (SAD) and cardholder data (CHD) is kept secure.
Where a lot of QSAs/ISAs go wrong is demanding that the words “PCI DSS”, “PCI standards” or other explicit acknowledgement of “PCI” something to appear somewhere in those documents. The Council has stated a number of times that explicitly using “PCI DSS”, “PCI standards” or “PCI” anything is not required. It would be great if such documents did, but a lot of legal documents do not because they either predate the PCI DSS or lawyers argue it is not necessary. That is what led to the Note in both requirements. The key is the last sentence which explicitly states:
“The acknowledgement does not have to include the exact wording provided in this requirement.”
It is this sentence that the Council always points to and states that this is why explicit statements of PCI or any other direct reference to PCI is not necessary nor required. My advice is, when in doubt, ask your client’s legal counsel for their legal interpretation of the legal agreements and whether they fell it covers the PCI responsibilities of the parties involved.
That will lead you to the fact that a lot of legal agreements reference the PCI DSS and PCI standards indirectly through language that obligates the parties to follow and comply with “regulatory or other legal requirements”. The reason this language works is because “other legal requirements” will drag in the card brand legal agreements for taking and processing card payments. Every card brand has legal agreements for merchants and service providers that explicitly call out that the customer of the brand will maintain PCI compliance for all relevant PCI standards.
Where this discussion becomes problematic is with service providers that do not directly process, store or transmit SAD/CHD such as managed service providers and the like that can affect the security of payments. That is because they are not directly under the card brands’ legal agreements, so their contracts while using the same “regulatory or other legal requirements” will not necessarily be referencing PCI compliance because they are indirectly involved. It is in these cases that I rely on getting a PCI AOC from the service provider which then provides the additional assurance that the service provider understands that they need to be PCI compliant.
It is when I cannot obtain an AOC from a service provider that I then explain to my client that this service provider’s environment needs to be assessed as part of their assessment. Either that or my client needs to find a new PCI compliant service provider.
What a QSA/ISA needs to be looking for in a service provider’s AOC is a couple of things (actually, there are a lot of things, but these are the most important).
First, you need to ensure that the services provided to your client have all been covered by the service provider’s assessment. Section 2a of the AOC documents the services covered and not covered. The most common problem found with section 2a is that one or more services used by an organization were not assessed. If services were not assessed, then you need to notify the service provider and develop a plan of how to handle this situation.
The next thing to review is the locations that were part of the assessment. It still amazes me the number of AOCs I review where a client’s data center or processing center was not part of the assessment. It gets worse when you bring this to the attention of the service provider and they get put out or worse, they argue with you over the fact that they must review every facility where a service is conducted. I am sorry, the PCI SCC and the card brands are the ones that make the rules, I am just the poor assessor that must enforce and live by them.
Finally, you need to review section 2g for all of the services assessed (if they were assessed from section 2a). Section 2g are a matrix of the 12 PCI DSS sections that explains who is responsible for the various PCI DSS requirements. From this matrix an organization is to construct their PCI program to fit the controls that they need to implement to be PCI compliant for this service.
There should be a section 2g for every individual service assessed, but in instances where PCI coverage is the same for different services (e.g., SaaS application hosting), you can combine services in section 2g. However, this is where problems usually are found. My favorite example of such a problem is the day I found data center co-location and call center services listed in the same matrix. I am sorry, but those services have very little similarity particularly in PCI controls. When you encounter this situation, it is usually indicative of a QSAC that does not understand how to deal with service providers and is cutting corners to get the ROC and AOC out the door. In addition, it also likely indicates a service provider that is just “checking a box” for PCI compliance to placate customers. But worse is when that service provider is listed on the Visa or MasterCard service provider lists (it is rare, but I have seen it) which then indicates that the brands are also not doing their due diligence in their review of the AOC.
Hopefully, you now better understand requirement 12.8.2. In a future post I will discuss requirement 12.9.
PCI Guru 
Dear PCI Guru,
I need your expert advice to understand PCI applicability.
My organization shared the legacy data (including PAN numbers) with an external law firm for a legitimate investigation.
We have a contract agreement in place with that wording” where applicable, be certified to the PCI-DSS standards published at http://www.pcisecuritystandards.org, as updated from time to time.” The agreement also covers the detailed security and data protection schedule (GDPR).
Do we consider them (law firm) a PCI service provider? If yes, how do we comply with the PCI requirement?
Do we need to ask the law firm to provide AOC? I am sure they are not complying with the PCI standard.
Thanks
Zulfiqar
The law firm is required to ensure the security of the data, they are NOT a service provider to your organization. You were complying with a lawful investigation and that trumps the PCI DSS but does not mean that the law firm is not on the hook for ensuring the security of the CHD. The law firm needs to acknowledge their obligation to protect the data you turned over and that is all.
Thanks for your helpful response.
It’s mean we need to conduct due diligence against their environment?
No. They just need to acknowledge to your organization that they will respect the privacy and security of the data. If you have an NDA in place due to the lawsuit, then I would rely on that document.
Thanks, I really appreciate your kind and helpful response.
Have you ever encountered a situation where a client uses a third party to manage their parking applications and servers, but the third party will not provide a contract. The third party does installations, patching, support, and upgrades to the parking application and supporting servers. When work is done the third party charges time and materials and sends an invoice. The service provider is a monopoly in the industry for parking applications. Any advice on how to test this requirement based on the information above?
I have never encountered it but now I will have to do some research on it because I think I know the third party you are talking about. More to come.
One quick question, do you have a service provider Attestation Of Compliance from this service provider?
No they do not.
Another question. Are there Terms & Conditions on the invoice that might cover things?
I’m waiting to get the invoice to see, but I’m not very hopeful.
My guess is the T&Cs cover only payment terms and nothing else, but you never know.
I did hear back from some of my QSA friends and a few have seen a similar situation. Unfortunately, none have had to deal with this in a ROC or SAQ. They have just fielded questions.
The bottom line is that we don’t see any sort of good way to construct a compensating control worksheet to get around this issue. The only approach would be to go to the acquiring bank and see how they want it handled.
“It gets worse when you bring this to the attention of the service provider and they get put out or worse, they argue with you over the fact that they must review every facility where a service is conducted.”
Just a quick point. According to the PCI DSS Version 3.2.1 ” After considering the overall scope and complexity of the environment being assessed, the assessor may independently select representative samples of business facilities/system components in order to assess the entity’s compliance with PCI DSS requirements…. Samples must be a representative selection of all of the types and locations of business facilities, as well as all of the types of system components within selected business facilities.”
Except when you are talking about a service provider. The Council through their AQM program that reviews QSAs assessments has been very clear over the years that some types of sampling are NOT acceptable such as sampling facilities where services are provided. Merchants can use sampling to their benefit, but service providers cannot always use sampling of certain items such as data centers, CoLos, SOCs, NOCs, etc. due to their criticality to certain services provided.
Please clarify if each party needs to confirm other parties’ PCI-DSS compliance involving any incoming and outgoing SAD/CHD activity.
I read “merchants only work with third parties that are PCI compliant”, so if you consider SAD/CHD flows from the public person up to the payment processors, that seems like a clear top to bottom approach for checking PCI compliance, starting with the payment processors then each party checking the next parties going “down stream” toward the public person’s action inputting SAD/CHD.
But then I see the sentence “sort of acknowledgement between all parties that they will abide by the PCI DSS”, which seems I need to check the parties above and below my location in the flow of SAD/CHD from the public person up to the payment processors.
I have had some QSAs that want me to check PCI compliance of my organization’s “up stream” payment processors and clearing banks, and some QSAs that do not (or at least do not ask me to).
Please comment. Perhaps something has changed recently?
Parties are only responsible for the monitoring the status of those BELOW them for PCI compliance. Those above them are supposed to know their responsiblities and provide assurance that they are PCI compliant in the form of the Attestation Of Compliance (AOC). That said, a LOT of upstream processors and banks refuse to provide AOCs because “they are banks”. Until the Card Brands mandate that they provide AOCs, that will not change.