Third Party Risk Management - Consultancy, Assessment & Advisory

Are Your Third Parties PCI Compliant?

Online shopping has quickly become one of the most popular online activities. While the pandemic sparked a significant uptick in global e-commerce activity, annual retail sales are expected to continue on a steady growth trajectory. The shift to e-commerce inherently poses its own set of cybersecurity risks–many of which pertain to investments retailers have made to satisfy demand, and the access those service providers have to consumer data.

Worldwide retail e-commerce sales 2014 to 2024

Source: Statista

A Guide To Your Third Parties & PCI-DSS Compliance

Cybercriminals are working smarter, not harder–and they know that they don’t need to attack retailers or financial institutions directly to gain access to customer and credit card data. Although all businesses that collect credit card data for online purchases must achieve compliance with PCI Data Security Standards (PCI-DSS)–not everyone with access to sensitive information falls under that umbrella.

First off, what is the PCI Data Security Standard (PCI-DSS)?

The PCI Data Security Standard (PCI-DSS) provides a mandatory and actionable 12-step framework to secure and refine payment card industry data security processes. Originally released in 2004 by American Express, Discover, MasterCard, JCB International and Visa, PCI-DSS has since established the PCI Security Standards Council (PCI SSC)—an international institution that sets the global standards for protecting cardholder data.

PCI Data security standards listing

No company is a one-stop shop. Whether you outsource for web hosting applications, customer service solutions, or debt collection purposes–these third parties have a direct impact on cybersecurity and compliance because their employees or systems have access to your systems or your data and therefore consumer, or cardholder data at risk. As a result, PCI-DSS regulations extend beyond the merchant level, and all third-party service providers (TPSPs) that have access to cardholder data must maintain PCI-DSS compliance.

Which vendors should be PCI-compliant?

As your network of service providers grows, so does your risk exposure. Any breach on payment systems affects the entire payment ecosystem and consequences usually result in huge financial losses. Financial institutions that experience data breach lose both credibility and reliability.

Although PCI DSS recognises that a service provider or a merchant may use a third-party to achieve its own business objectives, it does not relieve that entity of its responsibility to maintain PCI-DSS compliance. Ensuring your third parties are PCI-compliant is just as important as keeping up with internal standards because of the direct access many of your vendors, suppliers and partners have to cardholder data.

As a result, PCI-SCC developed a supplementary guide for third-party security assurance outlining guidelines for the following TPSPs:

What specifications are there for third parties and PCI-compliance?

According to the PCI Security Standards Council, “a robust and properly implemented third-party assurance program assists an entity in ensuring that the data and systems it entrusts to TPSPs are maintained in a secure and compliant manner. Proper due diligence and risk analysis are critical components in the selection of any TPSP.”

PCI DSS TPSP engagement flow chart

Source: PCI Security Standards Council; Third-Party Security Assurance and Shared Responsibilities Special Interest Groups

PCI Requirement 12.8 outlines policies for dealing with TPSPs, requiring organisations to develop and maintain a robust information security policy.

PCI DSS frequency of compliance table

Source:PCI Security Standards Council; Third-Party Security Assurance and Shared Responsibilities Special Interest Groups

PCI DSS compliance checklist

Source: PCI Security Standards Council; Third-Party Security Assurance and Shared Responsibilities Special Interest Groups

What should I know about PCI-DSS 4.0?

Slated to release early to mid 2022, PCI-DSS 4.0 will be the most significant revision since PCI DSS 3.0 was released in 2013, and will include major updates to respond to the world’s ongoing digital transformation and inherent exposure to cybersecurity risk. Although the full details of the PCI DSS Version 4.0 have yet to be announced, the customisation it will offer merchants has gotten the most attention.

According to the PCI Council, “unlike compensating controls, customised validation will not require a business or technical justification for meeting the requirements using alternative methods, as the requirements will now be outcome-based.” This added rule will likely develop a more permanent solution for validating compliance with specialised security controls. However, it’s likely that this will only apply to those further along in the cybersecurity maturity process.

While details are still up in the air, one thing is for certain: this next version of PCI DSS won’t be the last. Shift the conversation from, “how do I achieve third-party PCI-compliance?” to “how can I mature my third-party risk management process across the board?”.

Start, Grow and Optimise Your TPRM Program Today

Black Kite Cyber Risk Rating TPCRM Program

Of course, everyone starts somewhere. Black Kite’s automated compliance correlation has helped hundreds of organisations save time, money and resources by automatically measuring PCI compliance levels for any vendor within their cyber ecosystem.

Register Now and receive a complimentary Technical, Financial, and Compliance rating of your company or any supplier in your ecosystem.

Or for more information on how DVV Solutions can mature and scale your Third Party Risk and Compliance Program:

Call Us+44 (0) 161 476 8700

Contact Us: Complete our Contact Form, or

Learn more about What We Do

About Black Kite 

Black Kite redefines vendor risk management with the world’s first global third-party cyber risk monitoring platform, built from a hacker’s perspective. With 300+ customers across the globe and counting, we’re committed to improving the health and safety of the entire planet’s cyber ecosystem with the industry’s most accurate and comprehensive cyber intelligence. 

While other security ratings service (SRS) providers try to narrow the scope, Black Kite provides the only standards-based cyber risk assessments that analyse your supply chain’s cybersecurity posture from three critical dimensions together: technical, financial, and compliance. 

This article was originally published by Black Kite and is shared with their kind permission.