PCI DSS mandates merchants use PCI 3.0-compliant Service Providers
VISA’s guideline in response to merchant breaches caused by applications installed by integrators and resellers recommends merchants to work with an approved service provider to,
• Improve security, reduce risk and maintain PCI DSS compliance
• Simplify the vendor selection process
• Ensure that their PCI DSS compliance efforts will be supported
According to PCI 3.0, service providers should have an Attestation of Compliance. PCI DSS requirements related to service providers are listed in section 12 of PCI DSS v3.0.
In addition, there are three new requirements for the merchant:
- 12.4.1: Information security responsibilities must be assigned such that separation of duties for security functions is maintained.
- 12.8.2: Maintain a written agreement that includes an acknowledgement that the service providers will maintain all applicable PCI DSS requirements to the extent the service provider handles, has access to, or otherwise stores, processes, or transmits the customer’s cardholder data or sensitive authentication data, or manages the customer’s cardholder data environment on behalf of a customer.
- 12.8.5: Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
Omega ATC is a PCI 3.0 certified Managed Security Service Provider (MSSP). Contact us for your data security needs.