Due Diligence for PCI DSS Vendor Selection

PCI DSS Requirement 12.8 dictates that any organization involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers—must have policies and procedures in place to manage its service providers.

Specifically, 12.8.3 includes due diligence in assessing a service providers before engaging them.

As a QSA, what I look for are records of the tests performed and decisions made with respect to those service providers.

These records must be retained for as long as the business relationship or ability to impact the security of cardholder data lasts. While records of the initial due diligence of the service provider will need to be preserved, an update to show that the provider is still compliant will also need to be produced annually.

At a minimum this should include validating that the service provider has an AOC and responsibility matrix or implements controls such as:

• Performs background checks of its staff before allowing access to the Cardholder Data (CHD).
• Requires its staff to undergo security awareness training every year.
• Acknowledges that they have read and understand the proper security policies and procedures.
• Understands the requirements for tracked media movement and destruction or secure wiping of disks before re-use or disposal.
• Has a mechanism to return a given entity’s data in the event of the end of the parties’ business relationship and the means to prevent unauthorized persons from gaining access to it in the event of an acquisition.
• Maintains physical security requirements per Req 9 if applicable.

If the service provider has its own AOC, all of these may perhaps be considered to be covered. The responsibility matrix should be reviewed to ensure that none of these requirements go unfulfilled.

I also recommend that business due diligence should include some form of a financial stability assessment. An overall risk assessment that addresses factors like discovered security incidents in the past 12-24 months and recent involuntary staff turnover is also worth performing - even if PCI does not require these.