Connect with us

Hi, what are you looking for?



PCI DSS 3.2: Third Party Service Providers, It’s Time to Step Up

On November 1, 2016, the latest version of the Payment Card Industry Data Security Standard (PCI DSS 3.2) took effect. The PCI DSS 3.2 has a number of notable changes, particularly for third party service providers.

On November 1, 2016, the latest version of the Payment Card Industry Data Security Standard (PCI DSS 3.2) took effect. The PCI DSS 3.2 has a number of notable changes, particularly for third party service providers.

During the past few years, we have seen a barrage of data breaches where the attackers broke in through a third party service provider. According to a Ponemon Institute study, nearly half of risk professionals say their organization experienced a data breach caused by one of their vendors. Seventy three percent see the number of cyber security incidents involving vendors increasing and 65 percent say it is difficult to manage cyber security incidents involving vendors.  Although the pure financial impact can often be mitigated through contracts or insurance, the reputational impacts are a lot more difficult to mitigate.

PCI Security Standards Council 

Some companies partner with thousands of vendors. With already limited headcount and resources, understanding what each of those vendor’s users are doing on the network is a daunting task. The fact that the PCI DSS 3.2 puts more responsibility on vendors to ensure their users are adopting secure cyber practices will tremendously help ease the burden. 

One PCI DSS 3.2 requirement that stands out is that executive management for service providers is required to “establish responsibility” for the protection of cardholder data and a PCI DSS compliance program.  The requirement is intended to “ensure executive-level visibility into the PCI DSS compliance program.”

Due to an increased understanding of the impact of poorly managed cyber risk, in addition to regulations like the PCI 3.2 and upcoming New York State Department of Financial Services requirements that assign accountability to executives and board members, we are seeing more executives and board members actively participating in the cyber risk management process. The shift benefits the entire cyber security industry because when company leaders understand their cyber risk posture, they make more effective risk reduction decisions.

Employees throughout the company also act with cyber security in mind because they know the top level is paying attention. By requiring top level executives of third party service providers to get more involved in protecting cardholder data, vendors should see the same results as their enterprise clients. Their executives will be in-the-know regarding if their company is elevating a client’s risk of a breach, and can take action to reduce that risk before it’s too late.

Another related requirement is that service providers are required to perform reviews at least quarterly, to confirm employees are following security policies and operational procedures.  The requirement puts the onus on the providers themselves (vs. solely on the enterprise) to make sure best security practices are being followed. While “at least quarterly” isn’t a firm “must be performed quarterly,” it at least recommends more frequent reviews vs. once a year.

The PCI DSS 3.2 should greatly help companies reduce third party vendor risk, and is starting to shift from just a check-the-compliance-box activity to a more continuous compliance model.  

Advertisement. Scroll to continue reading.

A new requirement in that vein is requirement 6.4.6, which states, “Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.” This means that PCI DSS compliance is no longer just a once a quarter or annual exercise, but one that requires attention any time there is a significant change.  

While I believe there is a long way to go in this regard, the requirement puts compliance on the radar every day, not just four times a year.  As the industry shifts to this continuous compliance model, you will see increased focus on measuring effectiveness rather than just compliance.  It also means that the quarterly, manual spreadsheet shuffle needs to be automated in way that can be monitored on a regular basis.

This continuous compliance model also needs to extend to reducing vendor risk. Companies need to monitor the level of access vendor users receive to their most valued applications and systems, and how that access is being used.  Minimizing vendor access to valued assets so that only users who need access get it, and monitoring activity to identify anomalous behavior are two critical steps to minimizing exposure to third party risk.

The PCI DSS 3.2 has recognized and called out the need for enterprises to ensure their vendors step up their game, and to reconfirm a secure posture whenever significant changes are made.  Once cyber risk management becomes part of a company’s every day practices, just like other critical organizational functions, demonstrating compliance with the PCI DSS 3.2 and similar regulations will become a non-event.

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Web scraping is a sensitive issue. Should a third party be allowed to visit a website and use automated tools to gather and store...

Cloud Security

Proofpoint removes a formidable competitor from the crowded email security market and adds technology to address risk from misdirected emails.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...