PCI DSS 4.0: Third-Party Service Providers & Risk Management

Key Takeaways | PCI DSS 4.0: Third-Party Service Providers and Risk Management

Overview


PCI DSS 4.0 brings major changes to payments with an increased focus on technical controls, targeted risk analysis, organizational maturity and governance. With PCI DSS 4.0 timelines fast approaching, new robust obligations regarding Third-Party Service Providers (TPSPs) will take longer than anticipated for organizations to comply with PCI DSS 4.0.

During this installment of our PCI DSS 4.0 webinar series, Alan Gutierrez-Arana of Mazars US joined McDermott privacy & cybersecurity lawyers Todd McClelland and Mark Schreiber to review how merchants identify, vet and monitor their Third-Party Service Providers (TPSPs). They also addressed issues from the provider side.

Key takeaways included:

  1. PCI DSS 4.0 Requirement 12.8 implements difficult changes in a short time. The updated requirements will be implemented from March 31, 2024, less than one year from now. Customers must quickly maintain a comprehensive registry of all TPSPs and rigorously supervise their compliance status. This obligation entails contract review/modifications and adding compliance measures, such as mandatory reporting, that demand due diligence and time. Some TPSPs may balk at contract changes or the new obligations, requiring finding a new vendor.
  2. Using or outsourcing to a compliant TPSP does not automatically certify the customer as compliant. Compliance cannot be outsourced. Merchants/customers remain responsible for their own PCI compliance. In the event of a breach, the merchant bears the ultimate responsibility.
  3. PCI DSS Version 4 introduces substantial modifications. New definitions require changes to contracts and a basic understanding of PCI, including the redefined roles of Service Providers and TPSPs. Newly added regulations must be understood by merchants who may have outsourced all PCI compliance and conveyed to all their TPSPs.

Dig Deeper

Coral Gables, FL / Speaking Engagements / November 13-15, 2024

Consero's Chief Privacy Officer Forum

New Orleans, LA / Speaking Engagements / November 6-8, 2024

Cambridge Forum on Health Data Privacy & Emerging Issues

Washington, DC / Speaking Engagements / October 23-25, 2024

Privacy + Security Forum Fall Academy 2024

Webinar / McDermott Webinar / October 24, 2024

Navigating the Final CMMC Rule

Get In Touch