thePCI Portal

Whats the 411 on section 4.11 Managed Service Provider?

While completing a version 3.2 PCI DSS assessment, you will eventually get to section 4.11 titled Managed service providers.  (the section formerly known as 4.12 in version 3.1)

Presuming that the assessed entity is a service provider, what constitutes a “managed” service provider?

Section 4.11 does not shed much light on the topic.  Time to dig a little deeper.  As of Jan 4 2017, the term MANAGED SERVICE PROVIDER does not exist in the official PCI DSS Glossary or anywhere in the FAQ.

Google digs up Richard’s 2014 random blog post comment that he asked the council to define the term back in 2013 but doesn’t provide any more information.  (insert sad face emoticon)

Time to pull out the big guns!  Who better to define what a MSP is other than the MSP Alliance AKA: the International Association of Cloud and Managed Service Providers?    The first sentence on their official definition page states:

“Managed Services is a term that can mean many things to many different people.”

Fortunately, it gets better.  The closest and best definition came out of a meeting of top MSP leaders over 10 years ago; this is the definition they created:

“Managed Services is the proactive management of an IT (Information Technology) asset or object, by a third party typically known as a MSP, on behalf of a customer. The operative distinction that sets apart a MSP is the proactive delivery of their service, as compared to reactive IT services, which have been around for decades.”

So if the service that the service provider (aka the assessed entitiy) provides is NOT the proactive management of technology things, then they are NOT a MSP.  Clear?

Provide a printing service = TPSP, but NOT a MSP

Let a client use your printer = TPSP, but NOT a MSP

Proactively manage client’s printers =TPSP and MSP

Ad below this line:



Leave a Reply