5 things to consider when engaging with a third-party service provider
TRANSCRIPT
What is a TPSP? An organization that has the responsibility to protect card data and may leverage a TPSP to support them in card-processing activities
or to secure card data
Industries relevant to cardholder data
• Payment gateways • Payment processors • Colocation services • Cloud infrastructure • Managed security
services
• Encryption or tokenization services
• Application hosting • Managed
firewall/router service providers
What to consider when engaging with a TPSP:
Set Expectations
Define, agree upon, and document expectations, at least annually and after a
change in services.
Gain Transparency Scope
Take reasonable steps to determine that the scope of what is provided by a service
provider is appropriate and aligned.
Establish Communications
Consider establishing a communications schedule.
Request Evidence
To verify that appropriate procedures were followed and controls deployed to
support changes.
Obtain Information about PCI DSS Compliance
Validation documentation should be provided at least annually as evidence of
PCI DSS compliance.
PCI DSS compliance is a continuous process, not just
a point in time exercise
Learn more about working with TPSPs
Request a PCI Consultation