Ask the Expert

The requirements for being a PCI DSS-compliant service provider

We are a new "service provider" and we are being asked if we are PCI DSS compliant. The service we are being contracted to provide is the remote administration of the database containing cardholder data. There is no transfer, processing or storage of the cardholder data, only the maintenance of the database. All the cardholder data resides on the customer site. Do we need to go through the PCI DSS certification process for this instance?

    Requires Free Membership to View

Since you are not transferring, processing or storing cardholder data, you are not specifically under the purview of the Payment Card Industry Data Security Standard (PCI DSS). Thus, under the letter of the regulation, you don't need to become a PCI DSS-compliant service provider per se. However, as your staff will have access to the client's database, you will need to have processes in place so your client can properly demonstrate compliance with the regulation as they themselves are still required to be PCI DSS compliant. As a result, your client will likely require that you have specific controls, processes and training in place for your staff.

Most specifically, your staff should be required to undergo PCI DSS security awareness training that includes the requirements of PCI DSS, as well as any specific needs of the client. Additionally you will want some sort of monitoring tool in place so you can cleanly document what your staff has and hasn't done. This tool can be a formal database-monitoring product or something as simple a log-monitoring tool; it could also be the deployment of something like a Netwitness or Netscout probe to collect data for later analysis.

Finally, your staff will need a process to document any changes made by the team to the databases, as well as document processes that interact with the client's change-control procedures. All changes (be they something as simple as a password reset or something as complex as a schema change) should be documented whether or not they have to go through the client's change-control process officially.

Also, create (if you haven't already) a separate management network that only has access to your client's networks. Make sure you have routing and/or firewall rules in place to ensure that different clients are isolated from each other. You don't want your service to be an accidental backdoor. Likewise, you want to ensure that your network can't be used as an egress point by the client or by a miscreant who may be abusing the client's network. This segmentation is an added bonus as it limits the potential scope of the client's QSA audit.

For more information:

This was first published in June 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: