Confirming the need for stringent third party risk assessments, the PCI security standards council issued a guidance this week focusing on the need to thoroughly assess third party service providers who store, process or transmit cardholder data. The PCI Guidance underscores and reinforcing Shared Assessments’ position that because third party service providers are under increasing attack by criminal elements the need to insure that service providers are enforcing stringent IT security and data privacy protection standards has never been greater.
The guidance is intended to assist in the interpretation of PCI DDS requirement 12.8, which focuses on the need to insure that card holder data, which is residing with a their party service provider, is adequately protected by the service provider. Included in the guidance are suggestions and clarifications for PCI DSS requirements and a sample PCI DSS responsibility matrix to assist in the determination of roles and responsibility of the identification and development of specific control areas.
Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, has more than 25 years of experience developing and leading risk management and third-party risk assessment programs. Brad is responsible for the development of the Shared Assessments Program’s Tools and key partnerships. Follow Brad on Twitter at @sfgbrad or on LinkedIn.