Third Party Service Providers

Introduction

The Payment Card Industry’s Data Security Standard states that the University “must manage and monitor the PCI DSS compliance of all associated third-party service providers with access to cardholder data.”

What does this mean?

Whenever we engage with a supplier (i.e. third-party service provider) we must make sure they have appropriate security controls in place to make sure they will protect our customers’ card data just like we do.

How do we review our suppliers?

We are expected to perform an analysis on each of our suppliers. This includes when we are looking to contract with them as well as annually thereafter. There are several basic documents that we ask all suppliers for during the contracting phase that can demonstrate the supplier’s PCI control environment, including:

  • PCI Attestation of Compliance (Required) – This document is a standard form that suppliers must provide on an annual basis that talks about their processing environment and what PCI controls are in place. Additional weight is given to this document if it is completed by an external auditor, known as a Qualified Security Assessor.
  • PCI Responsibility Matrix (Required) – This document lays out the division of PCI responsibilities between the merchant (Wake Forest) and the supplier.
  • Contract with PCI Specific Language (Required) – Suppliers are required to state that they understand that they can impact Wake Forest’s data and that they will remain PCI compliant through the life of the contract.
  • Data Center SOC 2 Report (Optional) – This document may be requested if the supplier is hosting a website that is part of the overall data flow.

Why does this matter?

It is very important to remember that suppliers that will not or cannot share the required documents are suppliers that we should not be doing business with as they most likely do not understand basic security and PCI controls. And without these documents in place, your merchant environment would not be able to be certified as PCI compliant.

Note: The document lists above only included those items needed for suppliers that are involved with processing credit cards. For a full list of documents that can help attest to a supplier’s overall security and technical capabilities, send an email to the Information Security team and they can walk you through the process.