PCI Compliance Policy for Third Party Service Providers (TPSP)
A third-party service provider is a business entity directly involved in the processing, storage, or transmission of transaction data or of cardholder data on behalf of the university. They also include companies or organizations that provide services that control or could impact the security of cardholder data, or manage system components – such as routers, firewalls, databases, physical security, and/or servers – in their CDE. So to confirm, when an entity is processing, storing or transmitting cardholder data on behalf of the university, or they have access to university's cardholder data or redirect to a payment page, they are a service provider.
The use of a TPSP, however, does not relieve the university merchant of ultimate responsibility for its own PCI DSS compliance, or exempt the university from accountability and obligation for ensuring that its cardholder data (CHD) and Cardholder Data Environment (CDE) are secure.
Proper due diligence and risk analysis are critical components in the selection of any TPSP.
University merchants that use Third Party Service Providers (TPSP) should clearly identify the services and system components that are included in the scope of their service provider's PCI DSS assessment, as well as the PCI DSS requirements covered by the service provider.
Third-Party Service Provider Due Diligence: Thorough vetting of candidates through careful due diligence, prior to establishing a relationship, assists in reviewing and selecting TPSPs with skills and experience appropriate for the engagement.
Example of Due Diligence Process
Service Correlation to PCI DSS Requirements: Understand how the services provided by the TPSP corresponds to the applicable PCI DSS requirements and determine the potential security impact of utilizing the TPSP in the cardholder data environment. Define and identify which of the PCI DSS requirements will apply to and be satisfied by the TPSP, and which will apply to and be met by university merchant.
Note: Ultimate responsibility for compliance resides with the merchant, regardless of how specific responsibilities may be allocated between a merchant and its TPSP(s).
Written Agreements and Policies and Procedures: Detailed written agreements promote consistency and mutual understanding between the university and its TPSP(s) concerning their respective responsibilities and obligations with respect to PCI DSS compliance requirements.
There are two options for third-party service providers to validate compliance:
- They can undergo a PCI DSS assessment on their own and provide evidence to their customers to demonstrate their compliance; or,
- If they do not undergo their own PCI DSS assessment, they can have their services reviewed during the course of each of their customers' PCI DSS assessments.
If the third party undergoes their own PCI DSS assessment, they should provide sufficient evidence to the university to verify that the scope of the service provider's PCI DSS assessment covered the services applicable to the customer and that the relevant PCI DSS requirements were examined and determined to be in place. The specific type of evidence provided by the service provider to their customers will depend on the agreements and/or contracts in place.
University policy on merchants engaging with a TPSP mandates inclusion of the Fullerton Addendum in all contracts/agreements and must be reviewed and approved by the University Information Security Officer. The Fullerton addendum relating on PCI Compliance states:
Contractor represents and warrants that it shall implement and maintain certification of Payment Card Industry ("PCI") compliance standards regarding data security and that it shall undergo independent third party quarterly system scans that audit for all known methods hackers use to access private information, in addition to vulnerabilities that would allow malicious software (i.e., viruses and worms) to gain access to or disrupt the network devices. If during the term of the Agreement, Contractor undergoes, or has reason to believe that it will undergo, an adverse change in its certification or compliance status with the PCI DSS standards and/or other material payment card industry standards, it will promptly notify the CSU of such circumstances.
Contractor agrees to promptly provide current evidence of PCI-DSS standards at the CSU request. The form and substance of such evidence must be reasonably satisfactory to and must be certified by an authority recognized by the payment card industry for that purpose.
Contractor shall maintain and protect in accordance with all applicable laws and PCI regulations the security of all cardholder data when performing the contracted Services on behalf of the CSU.
Contractor will provide reasonable care and efforts to detect fraudulent credit card activity in connection with credit card transactions processed for the CSU.
Contractor shall indemnify and hold CSU harmless from loss or damages resulting from Contractor's failure to maintain PCI compliance standard in accordance with this section.
Contractor shall not be held responsible for any such loss of data if it is shown that the loss occurred as a result of the sole negligence of the CSU.
Monitor Third-Party Service Provider Compliance Status: Maintaining an updated list of TPSP's PCI DSS compliance status provides assurance and awareness about whether the TPSP complies with the applicable requirements for the services provided. If the TPSP offers a variety of services, this knowledge will assist the merchant in determining which TPSP services will be in scope for the merchant's PCI DSS assessment.
The university maintains inventory of all TPSPs that are considered PCI in-scope