PCI DSS compliance: What is a Third Party Service Provider?

Navigating the complexities of PCI DSS compliance can be challenging, especially when it comes to understanding the role of Third Party Service Providers (TPSPs). We spoke to our PCI DSS experts to clarify what a TPSP is and their requirements under PCI DSS.

The difference between Merchants and Service Providers

Companies that are in-scope for PCI DSS compliance can be categorised as Merchants and Service Providers.

Merchants: These are businesses that accept payment cards bearing the logo of payment brands, such as Visa and Mastercard, as a method of payment for goods and services provided.

Service Providers (TPSPs): These support and provide a service to other Merchants which has an impact on their payment card data security.

However, the same company can actually be both if they fulfil both functions. An example might be a Data Centre hosting a customer’s IT environment. The customer may be including cardholder data in these systems so from a hosting perspective the Data Centre company are a TPSP. They may also be a merchant if they accept card payments for their hosting services.

Read more: PCI DSS: A terminology and acronym minefield

Common misunderstandings about TPSPs

When carrying out PCI DSS assessments, our QSAs frequently navigate through a range of client misinterpretations and uncertainty on the subject of TPSPs.

This is often centred around the requirements in 12.8 which are all about managing the Merchant / TPSP business relationships. For example, 12.8.4 stipulates that a process must be in place to monitor the PCI DSS compliance status of each in-scope service provider on at least an annual basis. However, many TPSPs mistakenly believe that if they don’t directly handle cardholder data, they don’t need to comply with PCI DSS.

A typical response from in-scope TPSPs which are not an obvious payment gateway provider is “we don’t handle cardholder data, so we don’t need to be included in this” and “we are not a PCI DSS service provider”.

This is directly at odds with the guidance provided by the PCI Security Standards Council (SSC). So, what is the real story?

Clarifying TPSP roles

There is a very useful Glossary of Terms included in the PCI DSS standard itself as well as information supplements such as Third-Party Security Assurance available in the SSC’s online Document Library. Here, it states that TPSPs aren’t just companies that process, store, or transmit cardholder data. They also include companies that provide services that could control or impact the security of cardholder data.

Some examples of TPSPs (not intended to be an all-inclusive list) are:

• Payment gateway services;
• Infrastructure / data centre hosts;
• Managed firewall administrators;
• Monitoring services for critical alerts, such as SOC-provision;
• Companies providing secure destruction of electronic or physical media;
• Providers of software development;
• Web site hosts;
• Entities providing call centre and customer contact services;
• Point-of-sale companies or integrators involved with installations and maintenance of equipment;
• Fraud verification or credit reporting services.

It is worth noting that an Acquirer bank is normally not considered to be a service provider for the purposes of Requirements 12.8. Also, where a Telecomms company is providing a communications link, or an Internet Service Provider is providing a ‘pipe’ for internet access, these type of companies are not considered to be a PCI DSS service provider.

We can help you with your PCI DSS compliance

Understanding and managing TPSP compliance can be tricky. That’s where our PCI DSS experts come in. We can help you establish best practice processes for TPSP compliance and assess your TPSP 12.8 requirements as part of a broader PCI DSS gap analysis.

By clearly understanding the role of TPSPs and their compliance requirements, you can ensure better security for your payment card data and maintain PCI DSS compliance more effectively. Get in touch to discuss how we can make your PCI DSS compliance easier.