Navigating the complexities of PCI DSS compliance can be challenging, especially when it comes to understanding the role of Third Party Service Providers (TPSPs). We spoke to our PCI DSS experts to clarify what a TPSP is and their requirements under PCI DSS.
Companies that are in-scope for PCI DSS compliance can be categorised as Merchants and Service Providers.
Merchants: These are businesses that accept payment cards bearing the logo of payment brands, such as Visa and Mastercard, as a method of payment for goods and services provided.
Service Providers (TPSPs): These support and provide a service to other Merchants which has an impact on their payment card data security.
However, the same company can actually be both if they fulfil both functions. An example might be a Data Centre hosting a customer’s IT environment. The customer may be including cardholder data in these systems so from a hosting perspective the Data Centre company are a TPSP. They may also be a merchant if they accept card payments for their hosting services.
When carrying out PCI DSS assessments, our QSAs frequently navigate through a range of client misinterpretations and uncertainty on the subject of TPSPs.
This is often centred around the requirements in 12.8 which are all about managing the Merchant / TPSP business relationships. For example, 12.8.4 stipulates that a process must be in place to monitor the PCI DSS compliance status of each in-scope service provider on at least an annual basis. However, many TPSPs mistakenly believe that if they don’t directly handle cardholder data, they don’t need to comply with PCI DSS.
A typical response from in-scope TPSPs which are not an obvious payment gateway provider is “we don’t handle cardholder data, so we don’t need to be included in this” and “we are not a PCI DSS service provider”.
This is directly at odds with the guidance provided by the PCI Security Standards Council (SSC). So, what is the real story?
There is a very useful Glossary of Terms included in the PCI DSS standard itself as well as information supplements such as Third-Party Security Assurance available in the SSC’s online Document Library. Here, it states that TPSPs aren’t just companies that process, store, or transmit cardholder data. They also include companies that provide services that could control or impact the security of cardholder data.
Some examples of TPSPs (not intended to be an all-inclusive list) are:
It is worth noting that an Acquirer bank is normally not considered to be a service provider for the purposes of Requirements 12.8. Also, where a Telecomms company is providing a communications link, or an Internet Service Provider is providing a ‘pipe’ for internet access, these type of companies are not considered to be a PCI DSS service provider.
Understanding and managing TPSP compliance can be tricky. That’s where our PCI DSS experts come in. We can help you establish best practice processes for TPSP compliance and assess your TPSP 12.8 requirements as part of a broader PCI DSS gap analysis.
By clearly understanding the role of TPSPs and their compliance requirements, you can ensure better security for your payment card data and maintain PCI DSS compliance more effectively. Get in touch to discuss how we can make your PCI DSS compliance easier.
Unit 40 Equinox South Great Park Road BS32 4QL
13-14 Angel Gate EC1V 2PT
Protection Group International (PGI) is pleased to announce that it has joined WeProtect Global Alliance to support the creation of a safer online environment for children.
“As Gregor Samsa awoke one morning from uneasy dreams he found himself transformed in his bed into a gigantic insect”, is how Franz Kafka opens his absurdist short story The Metamorphosis.
Achieving PCI DSS compliance is a significant milestone for any entity that handles cardholder data. But! Maintaining that compliance is just as important, because lapsing into non-compliance can lead to substantial financial penalties, increased fees, and a higher risk of data breaches.
We're happy to answer any questions you may have about our services; one of the team will get in touch to discuss your requirements and will give you a free quotation.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Please provide as much detail as possible so we can route your enquiry effectively. We look forward to hearing from you.
We aim to answer all enquiries within *48 hours.
