By Allan Pelais de Queiroz, SSIC America’ Senior Consultant and Certified PCI-DSS QSA
In my first blog in this series, I discussed what organizations transitioning to the cloud need to consider from a PCI perspective. For organizations partnering with a service provider to host their cardholder data in the cloud, it’s important to properly manage the relationship with the service provider and understand the security implications.
As described in Part 1, performing a data flow review and a gap analysis of the service provider is the first step. You can then move on.
Per PCI DSS 3.2 requirement 12.8, you need to maintain and implement policies and procedures to manage service providers. To do so, the PCI Security Standards Council (SSC) established the following sub-requirements under Requirement 12.8:
- 12.8.1 Maintain a list of service providers, including a description of the service provided.
- 12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data under their service.
- 12.8.3 Ensure there is an established process for engaging service providers, including proper diligence prior to initiating the engagement.
- 12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.
- 12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the organization.
Here is a quick set of questions to consider that can help you facilitate compliance with these requirements:
- 12.8.1 How many service providers have you identified? Use an excel spreadsheet to list all of them.
- 12.8.2 For each service provider, you need to review the contract to determine if the requirements under its responsibility are cleared defined. You may need to ask for some additional documentation, such as the PCI DSS Responsibility Matrix, to confirm who’s responsible. Tip: It is really common for a sales person to say the provider is PCI DSS compliant. But that doesn’t mean that all services were assessed. Make sure the service YOU are using was included in the service provider Attestation of Compliance (AOC). For example, let’s say you decide to use a cloud cache service. To confirm compliance, check the matrix to verify that the cache service was actually included in the AOC. Keep records of these documents.
- 12.8.3 This is not the sole responsibility of IT security. Your legal department has likely defined a compliance process. For PCI DSS purposes, it should be enough if you detail all the steps performed before engaging service providers.
- 12.8.4 Once you have completed all the steps above, it is time to monitor compliance status. A key activity here is taking note (use the spreadsheet again) of the AOC expiration date. Once the AOC is 365 days old, you need to get a new report. Ensure you have set an appointment on your calendar. Keep in mind that if your service provider doesn’t have an AOC, it means you or your QSA will need to perform the assessment.
- 12.8.5 Finally, you may use the gap analysis to confirm you have evaluated all the requirements defined under service provider responsibility. If you don’t, you may need go back through all the requirements and list them. Your findings can then be exported to Excel.
As you may have noticed, the whole process detailed on requirement 12.8 will guide you through assessing the engagement level for the same requirements that your organization is subject to. Also note that 12.8 is a one-to-many approach, so you may have to repeat the process for any other service provider to ensure continued protection of cardholder data.