PCI for Service Providers

Irrespective of whether you are a payment service provider or a provider of hosting and cloud services, as a service provider you come into contact with a host of confidential data when processing transactions, hosting information, or supplying credit card connectivity.

 

To safeguard data security standards, credit card schemes and acquirers impose mandatory PCI certification on businesses that process credit card information. Given this, as a service provider, you also need to be in compliance with the Payment Card Industry Data Security Standard (PCI DSS) and fulfill the relevant security requirements.

 

But staying on top of things and successfully mastering all steps for PCI DSS certification may prove challenging for service providers. As a certification body authorized by the PCI Council, we assist you in all aspects of your PCI DSS compliance for service providers, and support you in areas such as:

  • Training and assessment preparation through in-depth information and introductory workshops on PCI DSS for service providers.

  • Advice and support on compliance along the road to certification by applying our proven frameworks

  • Performance of vulnerability scans (ASV) using our compliance portal, where existing problems are directly identified and addressed in detail.

  • Assessment services in the form of an on-site review by our auditors

PCI DSS certification for service providers – Requirements

As a service provider, you constantly come into contact with payment card information when performing electronic processing of payment transactions or consumer authentication and providing support and hotline services. However, compliance with the PCI standard is also mandatory for service providers that do not have direct contact with payment card information but may influence the security of the payment card environment––such as data centers or suppliers of security services and cloud solutions. To protect both you and your customers, the PCI Council has the aim of strongly and sustainably promoting compliance with the PCI security standards. The council is made up of representatives from the payment-card schemes VISA, MasterCard, JCB, American Express, and Discover, and classifies PCI DSS service providers in two levels. Service providers must fulfill various requirements depending on their level.

PCI DSS certification services for service providers

To support you fully along the road to PCI DSS certification, we provide an application on our compliance portal which enables you to implement many of the PCI DSS requirements for service providers easily and straightforwardly. They include annual completion of the PCI Self-Assessment-Questionnaire (SAQ), which you can also save and submit within the portal. We also provide the following services:

  • Quarterly vulnerability scans performed by an approved scanning vendor (ASV)

  • Annual on-site audit carried out by a qualified security assessor (QSA)

  • Awareness training as eLearning addressing the secure handling of payment-card information.

If we detect potential security gaps in this context, we inform you immediately and advise you on how to close these gaps.

Training on PCI DSS compliance for service providers

 

As a service provider, you and your employees rely on your IT applications every single day. As these applications may be vulnerable, informing yourself in-depth about IT security is crucial for every business. In our training and information events we instruct you about potential threats, how to recognize them, and how to protect yourself against them.

 

Secure coding training

Secure and robust software is a key factor of the PCI compliance of service providers. Ideally, software development should follow the Best-Practice Guidelines of the “Open Web Application Security Project Guide” (OWASP). In secure coding training, we present the security-relevant aspects associated therewith and teach you everything you need to know for implementation.

 

Awareness training

PCI DSS requirement 12.6 demands that the organization holds regular awareness training and establishes a security awareness program. We address these requirements by providing workshops and training, strengthening your employees' awareness of security issues, and pointing out the right way of handling sensitive data, such as credit card information. This ensures you and your employees meet the PCI compliance requirements of your contracting partners and customers, and can raise information security in your business to the next level.

Security through PCI DSS certification for service providers

Our extensive range of workshops, training, and support services ensure that you obtain all relevant information on PCI certification for service providers and stay up to date at all times. We help you to provide your customers and partners with secure processing of their data and protect yourself against potential security threats. We are your partner of trust in all aspects and requirements of PCI DSS certification for service providers. As an additional benefit, following successful certification you will obtain the TÜV SÜD certification mark for use on your website.

Next Steps