One of the more lively discussions at our past PCI Dream Team session involved a discussion of requirement 12.8 and third party management (i.e., service providers). What got the discussion started was when Art (Coop) Cooper made the comment that only SAQ A states that all third parties must be PCI compliant. All of the other SAQs and even the ROC does not state that third parties need to be PCI compliant.
All of this is very true and has been this way since the beginning of the PCI DSS.
But … That is not the whole story.
In this instance, the PCI DSS is not the only game in town.
People forget that Visa, Mastercard, Discover, American Express and JCB (aka “The Brands”) still have their own security programs and requirements in addition to the PCI DSS. Some of these requirements are in their Operating Rules or similar documents. In this case, Visa, Mastercard and Discover all require that service providers be PCI compliant as defined on their respective Web sites. In the case of Visa and Mastercard, they maintain lists of PCI compliant service providers. That said, those lists are marketing ploys that generate revenue for Visa and Mastercard as those service providers listed pay them to be on those lists.
While Coop’s statement is accurate that the PCI DSS does not require service providers to be PCI compliant, it is shortsighted. The Brands do require service providers to be PCI compliant and will enforce it through the merchant agreement/contract all organizations sign in order to accept those cards for payment.
The bottom line is that, if any service provider can provide you a current PCI Service Provider Attestation Of Compliance (AOC), you can use their services and comply with the Visa, Mastercard and Discover contracts.
Coop also stated that he has never seen the Brands enforce the contractual obligation when reviewing organizations’ ROCs and SAQs. That is also a true statement but again not the complete story. Based on what I have been told by lawyers that have been involved in breach litigation, it is the merchant agreement/contract that is used to hold breached merchants legally responsible and enforce fines, not PCI compliance or what is in any PCI document. The PCI documents are used to influence fines and penalties, but the actual enforcement is through the contracts with the Brands. If it is found that an organization was using non-PCI compliant service providers that just adds fuel to the fire.
As famous radio personality Paul Harvey used to say, “And that, is the rest of the story.”
PCI Guru 
Please unsubscribe me
Will see if I can do that but not sure I can.
I have looked around the WordPress console and cannot find anything that will allow me to unsubscribe you but I will keep looking.
I found a Visa doc that says “Agent registration is required for all entities providing solicitation activities, managed services and/or storing, processing or transmitting Visa cardholder data for Visa clients (or on behalf of their merchants or agents). There are also fines associated for ‘Clients’ using non-registered TPAs.
If this is a requirement with fines associated, would merchants (not Visa ‘Clients’) be liable for the fines if they used a nonregistered service provider? I’ve confirmed with Chase that Visa requires TPAs to be registered and PCI compliant.
Just asking because sounds more like a requirement than marketing aid. Appreciate your response and work here.
Sorry, here is the link
Click to access tpa-registration-program-faqs.pdf
This is NOT the Global Registry that is public, this is the internal Visa TPA registration. They are two very different lists. TPAs pay to get registered on the Global Registry. This list is an entirely different list that is internal only to Visa.
I think you are confusing the Global Registry (optional because you pay to get listed) with Visa’s internal TPA registration process which is NOT a public list. Even then, Visa is going to have a tough time managing that process.
I’d like to make an observation.
You stated “… those lists are marketing ploys that generate revenue for Visa and Mastercard as those service providers listed pay them to be on those lists.” Visa’s Global Registry of Validated Service Providers and the MasterCard Compliant Service Provider List exist for the convenience of merchants when they need to select a TPSP. Service providers do not pay the Card Brands for the privilege of being listed in the registries, rather any payment is related to compliance with the Card Brands’ operating regulations. TPSPs need to be registered in the Brands’ specific Third Party Agent (TPA) programs (which tracks the relationships between TPSPs and merchants) and there is an administration fee associated with these TPA programs. So, yes there’s a fee but its not for the purpose you stated.
A year ago when I registered my last service provider, you still had to pay Visa or Mastercard to be listed on their Global Service Provider Registries. TPAs are an entirely different animal from a managed service provider (MSP) that does not handle CHD/SAD. However, most TSPs that are listed are TAPS as well.
Wow. Guess I need to shut up.
Sorry to have picked on you! 😉
LOL – No worries. Everything here is true and you’re right – there’s more than the PCI standards. 🙂
I just wanted to point out/clarify one of the statements in your post that may be misinterpreted. When you say:
“it is the merchant agreement/contract that is used to hold breached merchants legally responsible and enforce fines, not PCI compliance or what is in any PCI document. The PCI documents are used to influence fines and penalties, but the actual enforcement is through the contracts with the Brands.”
With Visa and MasterCard, there is no contract between the merchant and the Card Brand. The contract is between the Merchant and their Acquirer. Both Visa and MasterCard forced the Acquirers to insert language in their Merchant contracts through changes in their OP Regs many years ago that require the Merchant to agree to be PCI compliant. This is why the Card Brands fine the Acquiring Bank when assessing fines and penalties for breaches and the Acquirer, in turn, fines the Merchant because there is no direct contract between the Card Brands.
The closed-loop brands like AMEX and Discover may handle things differently but I haven’t been involved in any breaches where they assessed fines against the merchants so I can speak from experience on them. As for JCB, who knows? Have they ever assessed a fine that you know of?
Thanks,
Kelly Clark
The bottom line is that there is a contract involved and that is where the enforcement capability comes from, not the PCI DSS.
Thanks.