*Updated: Now with Extra Snark!
Let me clarify, I’m not a QSA, ISA or any other type of SA**. But as the senior architect for a security team, I’m usually expected to have the last word on technical implementations. Like many, I’ve been stuck in PCI purgatory since the release of the 3.0 standard. New requirements to interpret, countless discussions with the QSA and the acquirer, arguments with the rest of the organization who barely understand payments and think they get to have an opinion: it makes me want to shred all my own credit cards. In addition to the scoping changes with ecommerce, the Service Provider definition was modified.
If there was even one iota of doubt left in my mind, this section from the PCI DSS Information Supplement: Third Party Security Assurance resolved it:
Below are examples of types of services and providers with which an entity may work:
- Organizations involved in the storage, processing, and/or transmission of cardholder data (CHD). Third-party service providers in this category may include:
- Call centers
- E-commerce payment providers
- Organizations that process payments on behalf of the entity, such as a partner or reseller
- Fraud verification services, credit reporting services, collection agencies
- Third-party processors
- Entities offering processing-gateway services
- Organizations involved in securing cardholder data. TPSPs in this category may include:
- Companies providing secure destruction of electronic and physical media
- Secure storage facilities for electronic and physical media
- Companies that transform cardholder data with tokenization or encryption
- E-commerce or mobile-application third parties that provide software as a service
- Key-management providers such as key-injection services or encryption-support organizations (ESO)
- Organizations involved in the protection of the cardholder data environment (CDE). TPSPs in this category may include:
- Infrastructure service providers
- Managed firewall/router providers
- Secure data-center hosting providers
- Monitoring services for critical security alerts such as intrusion-detection systems (IDS), anti- virus, change-detection, compliance monitoring, audit-log monitoring, etc.
- Organizations that may have incidental access to CHD or the CDE. Incidental access is access that may happen as a consequence of the activity or job. TPSPs in this category may include:
- Providers of managed IT delivery channels and services
- Companies providing software development, such as web applications
- Providers of maintenance services
So stop arguing with reality (and me). Oh and for the record, I don’t care what you, your mom, your dry cleaner, or another merchant thinks about PCI. I love those people who spend 30 minutes going through the standard and think they understand it because they’ve read the words. As most of us know who’ve worked with PCI for any amount of time, it’s a bit like pornography. Everyone has a different definition. As far as security and compliance teams are concerned, the only opinions that matter come from the acquirer, the QSA and the organization’s ISA. Moreover, a security team for an organization usually has thousands of hours of combined experienced in PCI DSS. A non-practitioner offering us “suggestions” is the equivalent of someone offering Misty Copeland advice about her grand jetes after taking one ballet class.
**Qualified Security Assessor, Internal Security Assessor