Version 3.0 of the PCI Data Security Standards go into effect in 2015. And some of the changes mean significant new responsibilities for merchants and the vendors who provide services for them. Today we’re going to take a look at two rules that impact the responsibilities of merchants and their service providers.
Documenting Responsibilities of Service Providers
The first rule, Requirement 12.8.5, affects merchants with vendors providing support related to a cardholder data environment. What does that mean, exactly? This is any kind of support for systems on which card data is processed, transmitted, or stored – it could mean hosting services or security services. The rule specifies that a merchant must document in writing the responsibilities of each party as it relates to PCI.
In the past, some merchants have had a tendency to say that they’ve outsourced their PCI responsibilities to a given service provider. Now, the Council is clarifying that merchants cannot outsource their PCI obligation in its entirety – but they can outsource elements of the execution. This rule provides guidance for that process.
When a merchant outsources an element of their PCI compliance execution, they must now document the responsibilities of each party – vendor and merchant alike. Merchants need to drive this process in order to make sure that all relevant responsibilities are clearly articulated and agreed. This way, there can be no confusion or ambiguity in the event that the merchant is later found to be out of compliance. With clear documentation, a merchant knows exactly what services they are receiving with respect to PCI.
Affirming Responsibilities of Service Providers
Another, related rule, Requirement 12.9, specifies that service providers must affirm their responsibility for specific elements of a client’s PCI compliance. This affirmation must be explicit and documented: the vendor is required to submit the acknowledgment in writing. With these two new requirements, the PCI Council hopes to reduce ambiguity around the degree to which service providers may take on merchants’ PCI responsibilities. Since this may require some significant effort on the part of merchants and vendors, these new rules are considered “best practices” until July 1, 2015, at which point they will become full-blown requirements. Organizations with reporting dates before July will not be responsible for these rules until the following year, while those with reporting dates after July will have to demonstrate compliance in 2015. For all merchants, however, it is advisable to nail down your service providers’ responsibilities in writing as soon as possible.