PCI Calendar – Service Provider Edition

Previously, I discussed the importance of establishing a PCI DSS compliance calendar. This lets you to identify and track all the recurring tasks that must be done to stay compliant with the PCI DSS. As that article touches on, an important distinction in PCI compliance is whether you’re a service provider, or another type of entity (typically a merchant).

In the current version of PCI DSS (3.2.1 as of writing), certain requirements and tests only apply to companies acting as service providers. These additional requirements are typically designed to make sure that you have adequate separation and control of the data you store and process for different customers. There should be no way that one customer can access the data of another. Likewise, you must take all reasonable precautions to prevent the data of one customer being disclosed to another during business operations.

The previous article skipped over the Service Provider requirements mainly because if you’re a merchant they’re just an unnecessary distraction. But it also allowed me to make the point, which I’ll expand on here here: while everyone starting with PCI DSS should seek professional assistance, if you’re offering PCI DSS-compliant services, you really need professional assistance. Service provider businesses aren’t handling just one card at a time; by their nature they will handle Cardholder Data from multiple companies at some volume. And as your clients succeed and grow their businesses, your PCI volumes will likely grow with them.

Recurring Task Calendar

The following table contains a list of recurring tasks that Service Providers should be tracking in their PCI DSS activity calendar, along with the frequency. Some of these may be N/A for your environment, depending on your specific business and scoping. When doing your review, you should cross-reference these with the PCI DSS standard itself. This will both help you understand each specific requirement, and also find any gaps in this list.

Some of these tasks need to be done on a recurring basis, and also after any changes to the environment. As such, they should appear both in your PCI calendar, and also in routine procedure documents as BAU activities.

All of these Service Provider tasks are in addition to those that apply to all PCI DSS-compliant entities.

PCI RequirementDescription of TaskQuarterlyBi-AnnuallyAfter Changes
11.3.4.1If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months, and after any changes to segmentation controls and methods.XX
12.11Perform reviews at least quarterly to confirm that personnel are following security policies and operational procedures.X
12.11.1Maintain documentation of quarterly review process to include results of the reviews, and review and sign off of results by personnel assigned responsibility for the PCI DSS compliance program.X

BAU / Business As Usual Tasks

As discussed previously, BAU tasks are those that should be “baked in” to other routine procedures followed by your business.

The following table contains the only recurring tasks in the current PCI DSS which is both service provider only, and where the frequency isn’t specified.

Again, this BAU task is in addition to those which apply to all PCI DSS-compliant entities.

PCI RequirementTask
3.5.1Maintain a documented description of the cryptographic architecture.