{"id":1830,"date":"2012-03-13T00:00:00","date_gmt":"2012-03-13T00:00:00","guid":{"rendered":"http:\/\/otava.test\/pci-compliance-with-service-providers\/"},"modified":"2012-03-13T00:00:00","modified_gmt":"2012-03-13T00:00:00","slug":"pci-compliance-with-service-providers","status":"publish","type":"post","link":"https:\/\/www.otava.com\/blog\/pci-compliance-with-service-providers\/","title":{"rendered":"PCI Compliance with Service Providers"},"content":{"rendered":"<p>The<strong> PCI sub-requirements and testing procedures 12.8-12.84 <\/strong>concern the\u00a0relationship between merchants and their service providers, including <a href=\"https:\/\/otavawebsite.wpengine.com\/compliance-security\/pci-compliant-cloud\/\">PCI compliant hosting<\/a> providers.<\/p>\n<p>The sub-requirements fall under the main requirement <strong><em>#12: Maintain an Information Security Policy <\/em><\/strong>\u2013 meaning a merchant must maintain a policy that addresses information security for all personnel, including internal employees, contractors and consultants. The sub-requirements 12.8-12.84 include language that specifically refers to service providers.<\/p>\n<p>According to my <a href=\"https:\/\/otavawebsite.wpengine.com\/blog\/pci-compliance-status-data-breaches\/\">earlier blog post<\/a> and <a href=\"https:\/\/www.verizonbusiness.com\/resources\/reports\/rp_2011-payment-card-industry-compliance-report_en_xg.pdf\">Verizon\u2019s 2011 PCI Compliance Report<\/a> (PDF), this is one of the most difficult <a href=\"https:\/\/www.onlinetech.com\/secure-hosting\/pci-compliant-hosting\/pci-glossary-of-terms#Payment Card Industry\">PCI DSS<\/a>\u00a0requirements for most organizations to achieve, with only 39 percent of merchants at full achievement.<\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td valign=\"top\" width=\"85\"><span style=\"color: #00ccff;\"><strong>12.8<\/strong><\/span><\/td>\n<td valign=\"top\" width=\"553\">If <a href=\"https:\/\/www.onlinetech.com\/secure-hosting\/pci-compliant-hosting\/pci-glossary-of-terms#Cardholder Data\">cardholder data<\/a> is shared with service providers [backup tape storage or managed service providers, or those that use the data for fraud modeling purposes], you must maintain and implement policies and procedures to manage server providers.<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"85\"><strong>How do you test it?<\/strong><\/td>\n<td valign=\"top\" width=\"553\">You can test it by observing, reviewing policies and procedures, and reviewing supporting documentation for the rest of the requirements:<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td valign=\"top\" width=\"85\"><strong>12.8.1<\/strong><\/td>\n<td valign=\"top\" width=\"553\">Maintain a list of service providers.<strong>\u00a0<\/strong><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"85\"><strong>How do you test it?<\/strong><\/td>\n<td valign=\"top\" width=\"553\">Pretty self-explanatory; keep a current and comprehensive list of vendors and verify it is updated whenever you sign with a new provider or end a contract. It\u2019s also good practice to keep tabs on your service providers\u2019 audit types and dates for your own verification of ongoing compliance.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td valign=\"top\" width=\"85\"><strong>12.8.2<\/strong><\/td>\n<td valign=\"top\" width=\"553\">Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"85\"><strong>How do you test it?<\/strong><\/td>\n<td valign=\"top\" width=\"553\">Check in your contract for specific language around the roles and responsibilities of your service providers when it comes to securing cardholder data. For example, if there\u2019s a known data breach of your server, what\u2019s the timeframe and process in which the service provider should notify you? And how long should data be retained after your contract expires, and how should it be deleted? And, more importantly, who has ownership or rights to your data?<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td valign=\"top\" width=\"85\"><strong>12.8.3<\/strong><\/td>\n<td valign=\"top\" width=\"553\">Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"85\"><strong>How do you test it?<\/strong><\/td>\n<td valign=\"top\" width=\"553\">Create document with policies and procedures around how you qualify a vendor\u2019s ability to provide a secure <a href=\"https:\/\/otavawebsite.wpengine.com\/operations\/locations\/michigan-cloud-and-data-centers\/\/compliance\/pci-compliant-data-centers\">PCI compliant data center<\/a> and services. Ensure you do your due diligence to save yourself a headache later \u2013 check their PCI audit report for the full scope of their compliance and compare it to what you still need to cover.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td valign=\"top\" width=\"85\"><strong>12.8.4<\/strong><\/td>\n<td valign=\"top\" width=\"553\">Maintain a program to monitor service providers\u2019 PCI DSS compliance status at least annually.<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"85\"><strong>How do you test it?<\/strong><\/td>\n<td valign=\"top\" width=\"553\">Establish a way internally to verify your service provider\u2019s ongoing PCI compliance status each year, whether you assign a point of contact to exemplify their due diligence in analyzing their audit reports or you keep in touch with your service provider\u2019s security officer to verify dates of compliance.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Find out more about PCI DSS and what you need to achieve compliance &#8211; read our <a href=\"https:\/\/otavawebsite.wpengine.com\/reference\/two-factor-authentication-for-vpn-login-faq\/\">Two-Factor Authentication<\/a> FAQ.<\/p>\n<p>Recommended links:<br \/>\n<a href=\"https:\/\/www.onlinetech.com\/secure-hosting\/pci-compliant-hosting\/pci-glossary-of-terms\"> PCI Glossary of Terms<\/a><br \/>\n<a href=\"https:\/\/www.onlinetech.com\/secure-hosting\/pci-compliant-hosting\/levels-of-pci-compliance\"> Levels of PCI Compliance<\/a><br \/>\n<a href=\"https:\/\/www.onlinetech.com\/secure-hosting\/pci-compliant-hosting\/who-needs-to-be-pci-compliant\"> Who Needs to be PCI Compliant?<\/a><\/p>\n<p>References:<br \/>\n<a href=\"https:\/\/www.sans.org\/reading_room\/whitepapers\/compliance\/contracting-pci-dss-compliance_33403\">Contracting for PCI DSS Compliance from The SANS Institute (PDF)<\/a><br \/>\n<a href=\"https:\/\/www.pcisecuritystandards.org\/documents\/pci_dss_v2.pdf\">PCI DSS Requirements and Security Assessment Procedures, Version 2.0 (PDF)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The PCI sub-requirements and testing procedures 12.8-12.84 concern the\u00a0relationship between merchants and their service providers, including PCI compliant hosting providers. The sub-requirements fall under the main requirement #12: Maintain an Information Security Policy \u2013 meaning a merchant must maintain a policy that addresses information security for all personnel, including internal employees, contractors and consultants. The sub-requirements 12.8-12.84 include language that specifically refers to service providers. According to my earlier blog post and Verizon\u2019s 2011 PCI Compliance Report (PDF), this is one of the most difficult PCI DSS\u00a0requirements for most organizations to achieve, with only 39 percent of merchants at full achievement. 12.8 If cardholder data is shared with service providers [backup tape storage or managed service providers, or those that use the data for fraud modeling purposes], you must maintain and implement policies and procedures to manage server providers. How do you test it? You can test it by observing, reviewing policies and procedures, and reviewing supporting documentation for the rest of the requirements: 12.8.1 Maintain a list of service providers.\u00a0 How do you test it? Pretty self-explanatory; keep a current and comprehensive list of vendors and verify it is updated whenever you sign with a new provider or end&#8230;<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"other_category":[],"class_list":["post-1830","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.2 (Yoast SEO v27.2) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>PCI Compliance with Service Providers | OTAVA<\/title>\n<meta name=\"description\" content=\"PCI sub-requirements and testing procedures 12.8-12.84 concern the\u00a0relationship between merchants and their service providers.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.otava.com\/blog\/pci-compliance-with-service-providers\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"PCI Compliance with Service Providers\" \/>\n<meta property=\"og:description\" content=\"PCI sub-requirements and testing procedures 12.8-12.84 concern the\u00a0relationship between merchants and their service providers.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.otava.com\/blog\/pci-compliance-with-service-providers\/\" \/>\n<meta property=\"og:site_name\" content=\"OTAVA\" \/>\n<meta property=\"article:published_time\" content=\"2012-03-13T00:00:00+00:00\" \/>\n<meta name=\"author\" content=\"Irma Brillantes\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Irma Brillantes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.otava.com\/blog\/pci-compliance-with-service-providers\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/blog\/pci-compliance-with-service-providers\/\"},\"author\":{\"name\":\"Irma Brillantes\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\"},\"headline\":\"PCI Compliance with Service Providers\",\"datePublished\":\"2012-03-13T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.otava.com\/blog\/pci-compliance-with-service-providers\/\"},\"wordCount\":537,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.otava.com\/blog\/pci-compliance-with-service-providers\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.otava.com\/blog\/pci-compliance-with-service-providers\/\",\"url\":\"https:\/\/www.otava.com\/blog\/pci-compliance-with-service-providers\/\",\"name\":\"PCI Compliance with Service Providers | OTAVA\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/#website\"},\"datePublished\":\"2012-03-13T00:00:00+00:00\",\"description\":\"PCI sub-requirements and testing procedures 12.8-12.84 concern the\u00a0relationship between merchants and their service providers.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.otava.com\/blog\/pci-compliance-with-service-providers\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.otava.com\/blog\/pci-compliance-with-service-providers\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.otava.com\/blog\/pci-compliance-with-service-providers\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.otava.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"PCI Compliance with Service Providers\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.otava.com\/#website\",\"url\":\"https:\/\/www.otava.com\/\",\"name\":\"OTAVA\u00ae\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.otava.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.otava.com\/#organization\",\"name\":\"OTAVA\u00ae\",\"url\":\"https:\/\/www.otava.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"contentUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"caption\":\"OTAVA\u00ae\"},\"image\":{\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\",\"name\":\"Irma Brillantes\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"caption\":\"Irma Brillantes\"},\"url\":\"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"PCI Compliance with Service Providers | OTAVA","description":"PCI sub-requirements and testing procedures 12.8-12.84 concern the\u00a0relationship between merchants and their service providers.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.otava.com\/blog\/pci-compliance-with-service-providers\/","og_locale":"en_US","og_type":"article","og_title":"PCI Compliance with Service Providers","og_description":"PCI sub-requirements and testing procedures 12.8-12.84 concern the\u00a0relationship between merchants and their service providers.","og_url":"https:\/\/www.otava.com\/blog\/pci-compliance-with-service-providers\/","og_site_name":"OTAVA","article_published_time":"2012-03-13T00:00:00+00:00","author":"Irma Brillantes","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Irma Brillantes","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.otava.com\/blog\/pci-compliance-with-service-providers\/#article","isPartOf":{"@id":"https:\/\/www.otava.com\/blog\/pci-compliance-with-service-providers\/"},"author":{"name":"Irma Brillantes","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263"},"headline":"PCI Compliance with Service Providers","datePublished":"2012-03-13T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.otava.com\/blog\/pci-compliance-with-service-providers\/"},"wordCount":537,"commentCount":0,"publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.otava.com\/blog\/pci-compliance-with-service-providers\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.otava.com\/blog\/pci-compliance-with-service-providers\/","url":"https:\/\/www.otava.com\/blog\/pci-compliance-with-service-providers\/","name":"PCI Compliance with Service Providers | OTAVA","isPartOf":{"@id":"https:\/\/www.otava.com\/#website"},"datePublished":"2012-03-13T00:00:00+00:00","description":"PCI sub-requirements and testing procedures 12.8-12.84 concern the\u00a0relationship between merchants and their service providers.","breadcrumb":{"@id":"https:\/\/www.otava.com\/blog\/pci-compliance-with-service-providers\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.otava.com\/blog\/pci-compliance-with-service-providers\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.otava.com\/blog\/pci-compliance-with-service-providers\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.otava.com\/"},{"@type":"ListItem","position":2,"name":"PCI Compliance with Service Providers"}]},{"@type":"WebSite","@id":"https:\/\/www.otava.com\/#website","url":"https:\/\/www.otava.com\/","name":"OTAVA\u00ae","description":"","publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.otava.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.otava.com\/#organization","name":"OTAVA\u00ae","url":"https:\/\/www.otava.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","contentUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","caption":"OTAVA\u00ae"},"image":{"@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263","name":"Irma Brillantes","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","caption":"Irma Brillantes"},"url":"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/"}]}},"_links":{"self":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/1830","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/comments?post=1830"}],"version-history":[{"count":0,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/1830\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/media?parent=1830"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/categories?post=1830"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/tags?post=1830"},{"taxonomy":"other_category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/other_category?post=1830"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}