Guidance from the PCI Security Standards Council (PCI SSC) suggests that there are overlooked service providers in many assessments. This begs the question as to what SPs a client has omitted to tell us about. So we present a worksheet for Service Providers who may have access to, or could affect the security of the cardholder data environment (CDE). You may not have all of these in your environment, and it’s not necessarily exhaustive, but we all need to understand if they are, or are not, present.
Here is a list of Hidden Services Providers in your PCI DSS Assessment that you should get familiar with.
- Data Center
- Co-location Provider
- Managed Services Provider
- Domain Registrar
- Domain Name Service provider
- Certificate Authority
- Hardware provider(s)
- Hardware support provider (Remote Hands, Geek Squad, or similar)
- Cloud Provider (Salesforce, Azure, AWS, Google Cloud Platform, or similar platform)
- Telecommunications provider (especially if you have a wi-fi, phone, or other wireless connection from e.g. a point of sale device to your CDE.)
- Internet Service Provider
- Payment processors (if they perform other services)
- Authentication (SAML, or MFA) providers
- Customer Service staff (facilitating refunds, disputes, and other problem-solving responsibilities)
- (Payment application) Software providers
- API providers
- Middleware providers
- Security Information and Event Management (SIEM) and alerting services
- Website programmers and testers
- Application or mobile app programmers and testers
- Artists for website graphics, logos, or background designs
- Photographers for website content, or item identification (especially if photos are provided by consumers themselves).
- Air Conditioning, janitors, or other service staff with access to the CDE.
You scope for PCI DSS compliance includes service providers that you rely on for compliance. Do not forget these often forgotten examples.