I was asked by a customer who received a request from a merchant (their customer) to acknowledge in writing that they are responsible for securing cardholder data on their systems (reference PCI DSS Requirement 12.8.2). Does my customer need to become PCI compliant? Some background: My client is not aware of the contents of its customer's data as it is encrypted on their systems, but could possibly be decrypted, which is not a normal part of my customer's operations, but it could potentially happen. As my customer is not a merchant, nor do they process credit cards, my question is what due diligence should my client perform prior to providing the merchant acknowledgement for their PCI compliance?
For starters, PCI Requirement 12.8.2 (.pdf) states, “Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.” Simply stated, any entity involved in the processing, storage or transmission of cardholder data is required to become PCI compliant. With that said, some organizations obviously have a greater role and responsibility to play than others regarding PCI compliance, based on their inherent business model.
This issue of who should and shouldn't become PCI compliant is becoming rather complex as of late, due to the nature of many businesses interacting with other businesses that perform credit card services and related activities. Thus, as a QSA, my recommendations are the following:
- As a business, you need to evaluate all of your relationships regarding who you contract services out to for performing work for your business.
- Evaluate all the services you perform for your customers.
- Ask the question, "With all of these relationships now identified, are any of these entities involved in the processing, storage or transmission of cardholder data, and if so, what steps do we need to take to ensure we and they are PCI compliant?”
Once you've identified these entities, you'll need to access the Self Assessment Questionnaire (SAQ) section on the official PCI DSS site. These SAQs will provide examples of business scenarios regarding a given cardholder data environment, then ask you to pick a relevant SAQ, complete it, and keep it on file or provide it to the relevant party.
Lastly, the only true way to know if you need to become PCI compliant in the above scenario or any other scenario is to contact a QSA, discuss your concerns, reach out to all intended parties, and decide on a solution. In short, PCI is more often than not a qualitative judgment call; few areas of PCI compliance are black and white.
This was first published in September 2011