Since you are not transferring, processing or storing cardholder data, you are not specifically under the purview of the Payment Card Industry Data Security Standard (PCI DSS). Thus, under the letter of the regulation, you don't need to become a PCI DSS-compliant service provider per se. However, as your staff will have access to the client's database, you will need to have processes in place so your client can properly demonstrate compliance with the regulation as they themselves are still required to be PCI DSS compliant. As a result, your client will likely require that you have specific controls, processes and training in place for your staff.
Most specifically, your staff should be required to undergo PCI DSS security awareness training that includes the requirements of PCI DSS, as well as any specific needs of the client. Additionally you will want some sort of monitoring tool in place so you can cleanly document what your staff has and hasn't done. This tool can be a formal database-monitoring product or something as simple a log-monitoring tool; it could also be the deployment of something like a Netwitness or Netscout probe to collect data for later analysis.
Finally, your staff will need a process to document any changes made by the team to the databases, as well as document processes that interact with the client's change-control procedures. All changes (be they something as simple as a password reset or something as complex as a schema change) should be documented whether or not they have to go through the client's change-control process officially.
Also, create (if you haven't already) a separate management network that only has access to your client's networks. Make sure you have routing and/or firewall rules in place to ensure that different clients are isolated from each other. You don't want your service to be an accidental backdoor. Likewise, you want to ensure that your network can't be used as an egress point by the client or by a miscreant who may be abusing the client's network. This segmentation is an added bonus as it limits the potential scope of the client's QSA audit.
For more information:
This was first published in June 2009