thePCI Portal

Service Provider SIG report is published

We all know v3 has increased the focus on service providers (or now known as third party service providers, or TPSPs).  The Council has published the special interest group’s (SIG) guidance on the topic. Of note in the document:

  • The example due diligence process rejects all service providers which don’t have evidence of compliance or a project plan and timeline to complete compliance. In my opinion, a fine place to start.
  • The use of the infamous significant change term, this time relating to the, well, its not clear, but presumably the service of the provider.  (Hmmm, maybe its time for a SIG on defining the term significant change.)
  • No boilerplate for TPSP agreements.  Or example clauses.  This seems to be a common request from merchants and service providers alike.  On the positive side Appendix A has a table meant to be filled out in discussions that might be helpful.  And Appendix B has a sample responsibility matrix .  Unfortunately the table only goes to requirement 1.2.2 and then says “… and so on.”  I guess they want you to build your own table out of the requirements of the standard.pci third party and so on
  • Introduction of the concept of responsibility matrix for agreement.
  • What to do if you discover that you or your provider actually are not compliant but thought you were?  SPOILER:  Figure out who has to fix it and fix it.

And remember, this guidance does not extend the standard.  Its just a little help.

Ad below this line:


Leave a Reply