866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

How to Navigate PCI DSS Third-Party Service Provider Requirements Blog Feature
Ken Van Allen

By: Ken Van Allen

Print/Save as PDF

How to Navigate PCI DSS Third-Party Service Provider Requirements

Payment Card Assessments | PCI DSS | TPRM

Published: Dec 10, 2014

Last Updated: Mar 4, 2025

The Payment Card Industry Data Security Standard (PCI DSS) is a global security framework designed to safeguard credit card information, protect sensitive authentication data, and minimize the risk of fraud. The PCI Security Standards Council (SSC) released a set of guidelines detailing how to manage third-party service provider (TPSP) relationships and PCI DSS compliance requirements. In this article, we break down everything you need to know about navigating PCI DSS TPSP requirements for PCI compliance.

The Role of Third-Party Service Providers in PCI DSS Compliance 

The PCI DSS TPSP guidance applies to entities who use or are considering using TPSPs. It also applies to the TPSPs themselves, who have access to, or can impact the security of cardholder data (CHD) or the cardholder data environment (CDE). The SSC defines an entity as any organization that has the responsibility to protect card data and may leverage TPSPs to support them in card-processing activities or in securing card data. 

TPSPs are widely used in most industries. Some of the more prevalent services that are relevant to a CDE include payment gateways, payment processors, colocation services, cloud infrastructure, managed security services, encryption or tokenization services, application hosting, and managed firewall/router service providers. Relying on another party for services can enable an entity to focus on its core strengths, but it does not relieve an entity from the responsibilities for the security of CHD and the CDE. 

Key Considerations for Engaging a TPSP with PCI DSS in Mind 

When working with a TPSP in a PCI DSS-regulated environment, it’s essential to establish and maintain clear expectations in order to ensure alignment on compliance responsibilities. The following considerations for strategically engaging a TPSP will help minimize risks and maintain transparency while ensuring compliance efforts remain thorough, well-documented, and consistently applied across all relevant services. 

Set Expectations  

Outline, agree upon, and document expectations with all TPSPs at least annually and again after any changes in established services. This ensures expectations are understood by all parties involved and are more likely to be met. Keep this documentation accessible and up to date.  

Gain Transparency to Scope  

An organization should take reasonable steps to determine that the scope of services provided is appropriate and aligned. Based on what the TPSP has claimed, consider having an ISA or QSA review any available evidence to verify the scope is indeed applicable, appropriate, and accurate. 

Understanding the TPSP’s impact on the entity’s PCI DSS scope provides the basis for determining which requirements the TPSP will be held responsible for. Using a TPSP who has already achieved PCI DSS compliance through a separate validation assessment can help the entity’s own PCI validation assessment process.  

Even where validated TPSPs are used, the entity is still responsible for ensuring the scope of the TPSP’s services under consideration by the entity is consistent with the scope of the independent assessment. There is a risk for gaps in expectations between the level of service performed by a provider and what that provider has been assessed against under PCI. An example would be where a data center provider performs colocation as well as managed services, yet their compliance reports only cover the physical colocation services. It may be difficult or impossible for an entity to assert a reduction in scope for services not explicitly covered in an independent assessment. 

Establish Communications  

Consider establishing a communications schedule whereby important matters are discussed. These items should include, but not be limited to, a discussion of significant changes to the CDE and important changes to personnel, processes, procedures, and methodologies that impact the CDE. 

Request Evidence  

When changes are identified by the TPSP and the entity assesses the change as a significant risk, the entity may need to request evidence to verify that appropriate procedures were followed, and controls were deployed to support changes. 

Obtain Information about PCI DSS Compliance  

Validation documentation should be provided at least annually as evidence of PCI DSS compliance. This information should cover the PCI-relevant service(s) being delivered by the TPSP to the entity. Examples of appropriate validation documentation for the services being offered may include Attestation of Compliance (AOC), Self-Assessment Questionnaire (SAQ) and AOC, ASV Scan Report Attestation of Scan Compliance (AOSC), and Payment Card Brand Validated Providers Lists and Websites. 

Best Practices for Navigating PCI DSS TPSP Requirements 

To effectively navigate PCI DSS TPSP requirements, your organization should implement a proactive and structured approach. The following strategies provide guidance on how to establish strong due diligence processes, assess risk, define compliance responsibilities, and integrate TPSPs into security programs. By following these best practices, your organization can enhance your security framework while ensuring TPSPs remain aligned with PCI DSS requirements. 

1. Due Diligence Program  

Establishing a relationship with any TPSP should start with a due diligence program that includes determining the scope of the TPSP’s involvement with storing, processing, or transmitting CHD and their impact on the security of the CDE. Understanding their involvement helps the entity frame due diligence requirements and risk assessment procedures in relation to the entity’s PCI DSS scope. Each entity must determine the appropriate due diligence process in light of its own CDE. 

2. TPSP Risk Assessment 

Performing a thorough risk assessment of any TPSP based on an industry-accepted methodology will help an entity understand the risks associated with engaging the TPSP. The supplemental guideline provides TPSP-relevant questions and topics to kick start the risk assessment process. The PCI DSS Risk Assessment Guidelines provide further information for conducting a risk assessment and can be referenced by entities looking for more detailed guidance in this process. 

3. Responsibility Matrix for PCI DSS Requirements 

An important exercise before engaging with a TPSP is mapping out which PCI DSS requirements will be performed by the TPSP, and which will be performed by the entity. A responsibility matrix can be useful to identify the responsibilities and requirements of each party. Appendix A of the PCI SSC’s information supplement includes high-level discussion points to assist entities and TPSPs in determining responsibilities for each requirement. 

4. Incident Response Integration 

Incorporate your TPSPs into your incident response plan. Define contacts, roles, communication channels, and escalation paths so that in the event of an incident, all parties can act swiftly and cohesively to mitigate damage. 

5. TPSP Monitoring Program 

As part of the entity’s annual TPSP monitoring and review process, the entity should remember to develop a TPSP monitoring program. The supplemental guidelines provide excellent suggestions for developing the TPSP monitoring program, including information elements to include in the entity’s annual review of its service provider’s PCI DSS compliance. This can be a great resource to assist entities in meeting compliance with Requirement 12.8.1. 

PCI DSS compliance is a continuous process, not just a point in time exercise. Developing a TPSP monitoring program is a critical requirement for any entity, especially with regard to managing risks associated with the security of cardholder data. Having a robust TPSP monitoring program can provide additional assurance that TPSP related risks are appropriately managed and that the responsibilities associated with securing CHD and the CDE are known, agreed to, and clearly defined. 

How Schellman Can Help with PCI Compliance  

Ensuring PCI DSS compliance when working with third-party service providers requires a thoughtful and proactive approach. By defining clear expectations, gaining transparency into scope, and maintaining open communication, organizations can better manage their TPSP relationships. Implementing best practices such as due diligence programs, risk assessments, and ongoing monitoring are critical to strengthening security and reducing compliance risks. By taking these steps, businesses can confidently navigate PCI DSS third-party service provider requirements while successfully safeguarding cardholder data. 

If you’re ready to pursue PCI DSS Validation, Schellman is here to help. To learn more about Schellman’s PCI Compliance services and how we can help you navigate PCI DSS TPSP and other requirements, contact us today.  

In the meantime, discover other helpful insights about PCI Compliance in these additional resources: 

 

About Ken Van Allen

Ken Van Allen is a Senior Associate at Schellman. A collaborative leader with 23 years of experience in elevating the trust and confidence of clients in their technology solutions, Ken previously served insurance, banking, and payment network clients in North and South America and advised them regarding rebuilding their Information Security programs. As a trusted advisor serving alongside business and technology executives from middle management to boards of directors, Ken is passionate about developing people, processes, and programs that secure the confidentiality, integrity, and availability of mission-critical information. At Schellman, he is focused on PCI assessments.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.