Problem solve Get help with specific problems with your technologies, process and projects.

The requirements for being a PCI DSS-compliant service provider

When your clients ask, 'Are you a PCI-compliant service provider?', how will you answer? In this expert response, learn what requirements you need to meet in order to keep customer data safe.

We are a new "service provider" and we are being asked if we are PCI DSS compliant. The service we are being contracted to provide is the remote administration of the database containing cardholder data. There is no transfer, processing or storage of the cardholder data, only the maintenance of the database. All the cardholder data resides on the customer site. Do we need to go through the PCI DSS certification process for this instance?

Since you are not transferring, processing or storing cardholder data, you are not specifically under the purview of the Payment Card Industry Data Security Standard (PCI DSS). Thus, under the letter of the regulation, you don't need to become a PCI DSS-compliant service provider per se. However, as your staff will have access to the client's database, you will need to have processes in place so your client can properly demonstrate compliance with the regulation as they themselves are still required to be PCI DSS compliant. As a result, your client will likely require that you have specific controls, processes and training in place for your staff.

Most specifically, your staff should be required to undergo PCI DSS security awareness training that includes the requirements of PCI DSS, as well as any specific needs of the client. Additionally you will want some sort of monitoring tool in place so you can cleanly document what your staff has and hasn't done. This tool can be a formal database-monitoring product or something as simple a log-monitoring tool; it could also be the deployment of something like a Netwitness or Netscout probe to collect data for later analysis.

Finally, your staff will need a process to document any changes made by the team to the databases, as well as document processes that interact with the client's change-control procedures. All changes (be they something as simple as a password reset or something as complex as a schema change) should be documented whether or not they have to go through the client's change-control process officially.

Also, create (if you haven't already) a separate management network that only has access to your client's networks. Make sure you have routing and/or firewall rules in place to ensure that different clients are isolated from each other. You don't want your service to be an accidental backdoor. Likewise, you want to ensure that your network can't be used as an egress point by the client or by a miscreant who may be abusing the client's network. This segmentation is an added bonus as it limits the potential scope of the client's QSA audit.

For more information:

This was last published in June 2009

Dig Deeper on PCI Data Security Standard

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

The certification is designed to prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold process, or exchange cardholder information from any card branded with the logo of one of the card brands