Learn more at
No organization can do everything themselves. Back-up tape storage facilities, web-hosting companies, security service providers – most organizations have some type of relationship with a third-party or vendor. That’s why PCI Requirement 12.8 focuses on vendor management and asks organizations to maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data.
PCI Requirement 12.8.1 specifically asks that you maintain a list of service providers including a description of the service provided. This will help to identify where potential risk extends to outside of your organization.
To verify compliance with PCI Requirement 12.8 and 12.8.1, an assessor will observe and review policies and procedures, as well as your list of service providers with access to cardholder data.
More Free Resources
KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to clients in more than 48 states, Canada, Asia, and Europe. The firm has over 13 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks.
For more about KirkpatrickPrice:
Contact us today: 800-770-2701