Overview
PCI DSS 4.0 brings major changes to payments with an increased focus on technical controls, targeted risk analysis, organizational maturity and governance. With PCI DSS 4.0 timelines fast approaching, new robust obligations regarding Third-Party Service Providers (TPSPs) will take longer than anticipated for organizations to comply with PCI DSS 4.0.
During this installment of our PCI DSS 4.0 webinar series, Alan Gutierrez-Arana of Mazars US joined McDermott privacy & cybersecurity lawyers Todd McClelland and Mark Schreiber to review how merchants identify, vet and monitor their Third-Party Service Providers (TPSPs). They also addressed issues from the provider side.
Key takeaways included:
- PCI DSS 4.0 Requirement 12.8 implements difficult changes in a short time. The updated requirements will be implemented from March 31, 2024, less than one year from now. Customers must quickly maintain a comprehensive registry of all TPSPs and rigorously supervise their compliance status. This obligation entails contract review/modifications and adding compliance measures, such as mandatory reporting, that demand due diligence and time. Some TPSPs may balk at contract changes or the new obligations, requiring finding a new vendor.
- Using or outsourcing to a compliant TPSP does not automatically certify the customer as compliant. Compliance cannot be outsourced. Merchants/customers remain responsible for their own PCI compliance. In the event of a breach, the merchant bears the ultimate responsibility.
- PCI DSS Version 4 introduces substantial modifications. New definitions require changes to contracts and a basic understanding of PCI, including the redefined roles of Service Providers and TPSPs. Newly added regulations must be understood by merchants who may have outsourced all PCI compliance and conveyed to all their TPSPs.