1. Home
  2. Frameworks and Standards
  3. PCI DSS
  4. PCI DSS Requirement – 12.9.2
Searching...

PCI DSS Requirement – 12.9.2

Defined Approach Requirements

12.9.2 Additional requirement for service providers only: TPSPs support their customers’ requests for information to meet Requirements
12.8.4 and 12.8.5 by providing the following upon customer request:
• PCI DSS compliance status information for any service the TPSP performs on behalf of customers (Requirement 12.8.4).
• Information about which PCI DSS requirements are the responsibility of the TPSP and which are the responsibility of the customer, including any shared responsibilities (Requirement 12.8.5).

Customized Approach Objective

TPSPs provide information as needed to support their customers’ PCI DSS compliance efforts.

Applicability Notes

This requirement applies only when the entity being assessed is a service provider.

Defined Approach Testing Procedures

12.9.2 Additional testing procedure for service provider assessments only: Examine policies and procedures to verify processes are defined for the TPSPs to support customers’ request for information to meet Requirements 12.8.4 and
12.8.5 in accordance with all elements specified in this requirement.

Purpose of requirement and procedures

If a TPSP does not provide the necessary information to enable its customers to meet their security and compliance requirements, the customers will not be able to protect cardholder data nor meet their own contractual obligations.

Good practice

If a TPSP has a PCI DSS Attestation of Compliance (AOC), the expectation is that the TPSP should provide that to customers upon request to demonstrate their PCI DSS compliance status.
If the TPSP did not undergo a PCI DSS assessment, they may be able to provide other sufficient evidence to demonstrate that it has met the applicable requirements without undergoing a formal compliance validation. For example, the TPSP can provide specific evidence to the entity’s assessor so the assessor can confirm applicable requirements are met. Alternatively, the TPSP
can elect to undergo multiple on-demand assessments by each of its customers’ assessors, with each assessment targeted to confirm that
applicable requirements are met.
TPSPs should provide sufficient evidence to their customers to verify that the scope of the TPSP’s PCI DSS assessment covered the services applicable to the customer and that the relevant PCI DSS requirements were examined and determined to be in place.
TPSPs may define their PCI DSS responsibilities to be the same for all their customers; otherwise, this responsibility should be agreed upon by both the customer and TPSP. It is important that the customer understands which PCI DSS requirements and sub-requirements its TPSPs have agreed to meet, which requirements are shared between the TPSP and the customer, and for those that are shared, specifics about how the requirements are shared and which entity is responsible for meeting each sub-requirement. An example of a way to document these responsibilities is via a matrix that identifies all applicable PCI DSS requirements and indicates whether the customer or TPSP is responsible for meeting that requirement or whether it is a shared responsibility.
Further Information
For further guidance, refer to:
• PCI DSS section: Use of Third-Party Service
Providers.
• Information Supplement: Third-Party Security Assurance (includes a sample responsibility matrix template).

Definitions

[No detail is provided here in the PCI DSS 4.0]

 

Note: This sub-requirement requirement falls within the primary PCI DSS Requirement 12: Support Information Security with Organizational Policies and Programs and secondary requirement 12.9 Third-party service providers (TPSPs) support their customers’ PCI DSS compliance..

What is the PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express. Governed by the Payment Card Industry Security Standards Council (PCI SSC), the compliance scheme aims to secure credit and debit card transactions against data theft and fraud.

While the PCI SSC has no legal authority to compel compliance, it is a requirement for any business that processes credit or debit card transactions. PCI certification is also considered the best way to safeguard sensitive data and information, thereby helping businesses build long lasting and trusting relationships with their customers.

Source: https://www.imperva.com/learn/data-security/pci-dss-certification/

What is the PCI SSC

The PCI SSC mission is to enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders. We achieve this with a strategic framework to guide our decision-making process and ensure that every initiative is aligned with our mission and supports the needs of the global payments industry.

The four pillars of our strategic framework include:

  1. Increase industry participation and knowledge in the PCI Standards development process and stakeholder support for standards implementation. This ensures that standards and resources reflect and address industry needs and challenges.
  2. Evolve security standards and validation programs to support a range of environments, technologies and methodologies for achieving security. This ensures standards and resources that support and enable safe commerce and the flexibility to use different approaches to meet those standards.
  3. Secure emerging payment channels via development of PCI Standards and resources to support broader payment acceptance. This enables safe commerce in new and emerging card and card-based payment channels such as mobile and internet-of-things.
  4. Increase standards alignment and consistency of PCI Standards to minimize redundancy and support effective implementation.

PCI DSS certification

PCI certification ensures the security of card data at your business through a set of requirements established by the PCI SSC. These include a number of commonly known best practices, such as:

  • Installation of firewalls
  • Encryption of data transmissions
  • Use of anti-virus software

Source: https://www.imperva.com/learn/data-security/pci-dss-certification/

You can learn more about the PCI DSS at https://www.pcisecuritystandards.org/

Updated on October 15, 2022
Was this article helpful?
Yes No

Related Articles