Due diligence in PCI requirement 12.8.3

Summary

+ Understand PCI requirement 12.8.3
+ Perform due diligence when outsourcing services
+ Conduct regular assessments and updates of third-party security measures
+ Monitor and manage third-party access to sensitive information
+ Implement contractual agreements with third parties

Details

1. Understand PCI requirement 12.8.3
a. Requirement 12.8.3 of the Payment Card Industry Data Security Standard (PCI DSS) mandates that organizations must perform due diligence when outsourcing services or activities to third parties that involve access to cardholder data.
b. This requirement ensures that organizations maintain control and security over their cardholder data, even when it is being processed or stored by a third party.
2. Perform due diligence when outsourcing services
a. Before engaging with a third-party service provider, organizations must perform due diligence to ensure the provider meets PCI DSS requirements and can provide adequate security measures for cardholder data.
b. Due diligence may include reviewing the provider’s security policies and procedures, conducting background checks on employees who will have access to cardholder data, and verifying that the provider has appropriate insurance coverage.
3. Conduct regular assessments and updates of third-party security measures
a. Organizations must regularly assess and update the security measures implemented by their third-party providers to ensure they remain effective and compliant with PCI DSS requirements.
b. This may involve conducting periodic security assessments, reviewing logs and audit trails for unusual activity, and ensuring that security patches and updates are applied in a timely manner.
4. Monitor and manage third-party access to sensitive information
a. Organizations must carefully manage access to cardholder data by their third-party providers, ensuring that only authorized personnel have access to the data and that access is limited to what is necessary for the provider to perform their duties.
b. This may involve implementing access controls such as two-factor authentication or role-based access control, and regularly reviewing and updating access privileges.
5. Implement contractual agreements with third parties
a. Organizations must implement contractual agreements with their third-party providers that outline the security requirements for handling cardholder data and specify the consequences of non-compliance.
b. These contracts should include provisions for regular security assessments, access control measures, incident response procedures, and breach notification requirements.

Conclusion

+ PCI requirement 12.8.3 is an essential element of maintaining the security and integrity of cardholder data in outsourced environments.

Previous Post

Does a TLS interception proxy present the user’s browser with the end server’s certificate?

Next Post

Appropriate length and slow unsalted cryptographic hash function for random codes?

Related Posts