Shared Responsibility Matrix in PCI

Service Providers’ Security Responsibilities 
PCI Requirement 12.9 functions in conjunction with PCI Requirement 12.8.2 to promote a consistent level of understanding between service providers and their customers about their applicable PCI compliance responsibilities. PCI Requirement 12.9 applies to service providers only. It requires service providers to provide a written acknowledgement of their security responsibilities as it relates to how they store, process, or transmit cardholder data on behalf of their customers. This ensures that the service provider has an awareness for how it could impact the security of the cardholder data environment. This acknowledgement is typically written into contracts and oversight is performed through a vendor management program. 

Little point of clarity here: when we are discussing the PCI DSS, Requirement 12.9 is for service providers. PCI Requirement 12.8.5 requires your assessment establishing a roles and responsibilities matrix for your vendors. PCI Requirement 12.9 is the opposite of that. If you are a service provider, you need to have a list that you’re going to present to clients to let them know what part of the PCI DSS you are taking care of. Additionally, with PCI Requirement 12.9, we want to write it into your contract with your customers what those responsibilities are. Make sure you communicate to them what you are responsible for and what they are going to be responsible for within the cardholder data environment.

Related Videos