Third-Party Service Provider AoCs
Requirement 12 of the PCI DSS can be found in all of the Self-Assessment Questionnaires and focuses primarily on the policies and procedures each merchant should have in place, as well as the requirements for monitoring any third-party service providers that may be involved in the payment card process.
Requirement 12.8.1 requires merchants to maintain a list of all service providers.
Requirement 12.8.2 asks organizations to maintain a written agreement that includes an acknowledgement that service providers are responsible for the security of cardholder data.
Requirement 12.8.3 states that proper due diligence, prior to engagement, is required for every PCI-related third-party service provider that your organization considers working with.
Requirement 12.8.4 requires merchants to establish a clearly defined program to monitor service providers’ compliance status annually.
Requirement 12.8.5 details the requirement for maintaining information about which DSS requirements are managed by the service provider, and which are managed by your organization.
During the initial evaluation of a potential third-party partner, merchants should understand the requirements within your organizational policy and the process for conducting vendor security evaluations. This policy should stipulate that all third-party service providers must provide evidence of their PCI DSS compliance in the form of a signed Attestation of Compliance (AoC) that has been properly completed and is less than twelve months old.
Unfortunately, when making this request to a new vendor during the initial review (and annually thereafter), you may have trouble getting the vendor to provide an AoC. Some vendors may attempt to sidestep the request if they believe they are not required to comply. Common responses from vendors include, “We don’t store cardholder information,” or “We don’t process the payments; we integrate with PayPal/Auth.Net/Stripe, etc.” In both of these cases, they may be correct in their assertions, but this does not absolve the vendor of all compliance responsibilities, and due to the fact that they still can impact the security of the payment process, they are still required to provide the requested AoC.
Other responses we have seen more frequently in recent months include: their refusal to provide the AoC without a non-disclosure agreement (NDA) in place or until a contract is signed; they may point you to the Visa Global Registry of Service Providers where you can confirm their status; or they may provide some alternate certificate of compliance. CampusGuard would like to remind merchants that they should always require the official AoC document and push back on those vendors that have not provided this upon request.
The PCI Council addressed this through multiple communication methods referencing PCI FAQs 1220 and 1354:
As noted in FAQ 1220 “Are compliance certificates recognized for PCI DSS validation?” the only documentation recognized for PCI DSS validation are the official documents from the PCI SSC website. While the FAQ addresses compliance certificates specifically, the underlying logic extends to the inadequacy of anything other than the AoC.
If there are concerns about sensitive data within the AOC, please refer to FAQ 1354 “Can the AoC be redacted to protect sensitive information?” Keep in mind that the information contained within the AoC must provide a meaningful summary of the assessed environment in order to provide customers with assurance that the AOC actually represents the environment in question, such that the partners/customers of such third-party service providers have the compliance assurances they need for their own compliance obligations.
The PCI Council further added that when QSAs work with service providers, The PCI AQM team encourages all assessors to set the expectation with their client that the client will need to provide the AOC upon request from their own partners/customers, and should have a process to distribute the AOC in a timely manner upon request.
The vendor Attestation of Compliance is already a redacted version of the Report on Compliance or Self-Assessment Questionnaire and should, therefore, only contain information that can be made publicly available. Third-parties should consider using the AoC as a sales/marketing tool, promoting their secure business practices and their ability to protect customers’ payment card information. If your merchants find themselves in a stand-off with a current or prospective third-party service provider over this required compliance documentation, please don’t hesitate to reach out to your dedicated CampusGuard team for assistance.
Some additional guidance from CampusGuard’s Security Advisor Team:
[Campbell]: There are many different models for third-party partnerships. Don’t forget that even in models where the third party is the merchant of record you have reputational risk. CampusGuard recommends trying to treat these entities as closely as possible like you would a formal PCI service provider. Request an AoC, seek appropriate contract verbiage, etc. If the vendor balks at any particular step it becomes a risk-based decision for the institution, since the vendor holds the formal compliance responsibility.
Back to third parties who help facilitate payments settling against your merchant account, as the article discusses, we’ve certainly seen a fair number of companies trying to act like their compliance burden is zero if they don’t directly process or store cardholder data. This is common with vendors providing web front-ends for things like ticketing or event registration. We’ll find a validated payment processor or gateway on the back-end. If the vendor were the merchant of record they would likely qualify for SAQ A. And therefore be responsible for the requirements included in SAQ A, including the technical controls from requirements 2, 6, and 8, which are to be applied to the web redirection server. Just because the vendor is a service provider instead of a merchant doesn’t change the model or make the risks that SAQ A is trying to protect against go away. Hence the vendor, as a service provider, would at a minimum need to demonstrate that SAQ A controls are in place in their environment, with this completed on the appropriate SAQ D for Service Providers.
Finally, pay close attention to the AoC version and, when shared, SAQ version provided by third parties. We see cases where a service provider supplies a merchant SAQ, such as SAQ A or SAQ C. While service providers might be able to follow FAQ 1331 and use a reduced merchant SAQ as a guide to applicability, all reduced SAQs are appropriate for merchants only. The only two acceptable assessment instruments for service providers are SAQ D for Service Providers or a Report on Compliance.