The requirements for being a PCI DSS-compliant service provider

The requirements for being a PCI DSS-compliant service provider

We are a new "service provider" and we are being asked if we are PCI DSS compliant. The service we are being contracted to provide is the remote administration of the database containing cardholder data. There is no transfer, processing or storage of the cardholder data, only the maintenance of the database. All the cardholder data resides on the customer site. Do we need to go through the PCI DSS certification process for this instance?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Since you are not transferring, processing or storing cardholder data, you are not specifically under the purview of the Payment Card Industry Data Security Standard (PCI DSS). Thus, under the letter of the regulation, you don't need to become a PCI DSS-compliant service provider per se. However, as your staff will have access to the client's database, you will need to have processes in place so your client can properly demonstrate compliance with the regulation as they themselves are still required to be PCI DSS compliant. As a result, your client will likely require that you have specific controls, processes and training in place for your staff.

Most specifically, your staff should be required to undergo PCI DSS security awareness training that includes the requirements of PCI DSS, as well as any specific needs of the client. Additionally you will want some sort of monitoring tool in place so you can cleanly document what your staff has and hasn't done. This tool can be a formal database-monitoring product or something as simple a log-monitoring tool; it could also be the deployment of something like a Netwitness or Netscout probe to collect data for later analysis.

Finally, your staff will need a process to document any changes made by the team to the databases, as well as document processes that interact with the client's change-control procedures. All changes (be they something as simple as a password reset or something as complex as a schema change) should be documented whether or not they have to go through the client's change-control process officially.

Also, create (if you haven't already) a separate management network that only has access to your client's networks. Make sure you have routing and/or firewall rules in place to ensure that different clients are isolated from each other. You don't want your service to be an accidental backdoor. Likewise, you want to ensure that your network can't be used as an egress point by the client or by a miscreant who may be abusing the client's network. This segmentation is an added bonus as it limits the potential scope of the client's QSA audit.

For more information:

This was first published in June 2009