Outsourcing functions to other organizations can be an efficient way for organizations to fulfill business functions it cannot or does not want to perform in-house, whether for costs or capacity reasons.
Now, one cannot simply use any third-party service provider (TPSP). If that was not obvious before, it is made abundantly clear in the information supplement provided by the PCI SSC in August of 2014. In figure 2 of the information supplement, the due diligence process is presented in the decision tree. If you follow this process, it becomes clear that unless a service provider has either:
- validated and provided evidence of PCI DSS compliance
- provided evidence so that the entity has validated that it is compliant
- provided a reasonable plan to achieve compliance, then the entity should select another TPSP.
Indeed, the supplement also adds:
The use of a TPSP, however, does not relieve the entity of ultimate responsibility for its own PCI DSS compliance, or exempt the entity from accountability and obligation for ensuring that its cardholder data (CHD) and CDE are secure.
Essentially, you can delegate responsibility to a third-party for tasks, but you cannot outsource your accountability for compliance.
So an organization retains is the obligation to ensure that the third-party service providers it hires are PCI DSS compliant and maintain their compliance with PCI DSS through a program consisting of policies and procedures, including performing proper due diligence prior to engaging a TPSP.
See PCI DSS requirements 12.8.* and 12.9 for more detail.
- Section 3.8.1 of Volume 3
- PCI SSC - Third-Party Security Assurance v.1.1 (March 2016)