For PCI DSS, 'shared service providers' are PCI service providers who must comply to PCI DSS and that provide services to more than one client. PCI DSS has included requirements for these service providers since version 1.2 released in 2009. Those requirements are not under a number but under appendix 'A1' (was appendix 'A' in version prior to PCI DSS 3.2) and are mandated within requirement 2.6 which requires performing testing of requirements A1.1.1 to A1.1.4 of the existing Appendix 'A1'.
PCI DSS 3.0 introduced a new requirement outside the appendix that also applies only to shared service providers and not other PCI DSS covered entities. Requirement 8.5.1 mandates that shared service providers with remote access to customer's premises must ensure that individual users use different authentication credentials (username and passwords) for different customers. This requirement tries to prevent that if attackers manage to get the credentials for one customer, these cannot be used to attack another customer. A note clarifies that this does not apply for access to infrastructure managed by the shared service provider and that hosts multiple customers. There, one set of credentials for the complete infrastructure may be adequate.
Requirement A.1 simply asks us to protect each hosted environment and data by meeting the four next requirements. The first two requirements cover logical segmentation (it does not have to be physical) between the different entities (organizations). The other two requirements cover logging and ensuring available of logs to the client.
- Section 3.8.2 of Volume 3