black click pen on white printer paper

PCI Shared Responsibility: Who Is Responsible for What?

by

PCI Shared Responsibility: Who Is Responsible for What?

When it comes to PCI DSS compliance, understanding who is responsible for what can feel like navigating a complex maze. Whether you’re working with cloud providers, payment processors, or third-party vendors, the concept of “shared responsibility” determines how compliance obligations are distributed among different parties in your payment ecosystem.

The Payment Card Industry Data Security Standard (PCI DSS) doesn’t operate on an “all-or-nothing” principle. Instead, it follows a shared responsibility model where various stakeholders—merchants, service providers, cloud vendors, and payment processors—each have specific roles in maintaining the security of cardholder data.

Understanding this distribution of responsibilities is crucial for businesses because misunderstanding who owns what can lead to compliance gaps, security vulnerabilities, and potentially costly data breaches. Many organizations mistakenly assume that using compliant third-party services automatically makes them compliant, while others take on unnecessary responsibilities that increase costs and complexity.

Key takeaways you’ll learn:

  • How PCI shared responsibility works across different service models
  • Specific compliance obligations for merchants versus service providers
  • Practical steps to document and validate shared responsibilities
  • Common pitfalls that lead to compliance gaps
  • Tools and strategies to manage multi-party compliance effectively

Core Concepts

Definitions and Terminology

Shared Responsibility Model: A framework that defines how compliance obligations are distributed between different parties involved in payment card processing. This model recognizes that modern payment systems involve multiple stakeholders, each controlling different aspects of the infrastructure and processes.

Entity Types:

  • Merchants: Organizations that accept payment cards as payment for goods or services
  • Service Providers: Companies that provide services to merchants or other service providers that could impact the security of cardholder data
  • Acquiring Banks: Financial institutions that enable merchants to accept card payments
  • Card Brands: Companies like Visa, Mastercard, American Express, and Discover

Responsibility Matrices: Documents that clearly outline which party is responsible for each PCI DSS requirement, often used in contracts and service agreements.

How It Fits Into PCI Compliance

The shared responsibility model acknowledges that in today’s interconnected payment environment, no single entity controls every aspect of payment card processing. Cloud hosting providers manage infrastructure security, payment gateways handle transaction routing, and merchants control their applications and business processes.

PCI DSS requirements 12.8 and 12.9 specifically address this reality by requiring organizations to:

  • Maintain policies for service providers that may affect cardholder data security
  • Ensure service providers acknowledge their responsibility to customers for cardholder data security
  • Implement due diligence programs for service provider management

Regulatory Context

The PCI Security Standards Council recognizes that shared environments require clear delineation of responsibilities. The Council provides guidance through:

  • Information Supplements: Documents that clarify how PCI DSS applies in specific scenarios like cloud computing
  • Designated Entities Supplemental Validation (DESV): A framework for service providers to demonstrate compliance for specific services
  • Service Provider Validation: Requirements for how service providers must demonstrate their compliance

Requirements Breakdown

What’s Required

Under the PCI shared responsibility model, specific requirements apply based on your role and the services you use:

For Merchants:

  • Validate that service providers maintain PCI DSS compliance
  • Ensure written agreements exist that acknowledge service provider responsibilities
  • Maintain responsibility for any cardholder data environment components they control
  • Implement compensating controls if service provider controls are insufficient

For Service Providers:

  • Achieve and maintain PCI DSS compliance appropriate to their service level
  • Provide evidence of compliance to customers (typically through AOC or certification)
  • Clearly communicate which PCI DSS requirements they address for customers
  • Notify customers of any changes that might affect their compliance responsibilities

Key PCI DSS Requirements in Shared Environments:

  • Requirement 2: Secure system configurations (who manages what systems)
  • Requirement 6: Secure application development (who controls application security)
  • Requirement 8: Access controls (how access is managed across entities)
  • Requirement 11: Network security testing (who performs what testing)
  • Requirement 12: Security policies (coordination of policies across entities)

Who Must Comply

Level 1 Service Providers: Must undergo annual on-site assessments by Qualified Security Assessors (QSAs). These are typically large processors, gateways, and hosting providers that store, process, or transmit large volumes of cardholder data.

Level 2 Service Providers: Complete annual Self-Assessment Questionnaires (SAQs) and may require quarterly network scans. These include smaller processors and specialized service providers.

Merchants: Compliance requirements vary by transaction volume and risk level, ranging from annual on-site assessments to self-assessment questionnaires.

Validation Methods

Attestation of Compliance (AOC): Service providers must provide this document to customers, clearly stating which PCI DSS requirements they address and which remain the customer’s responsibility.

Responsibility Matrix Documentation: Both parties should maintain clear documentation of who is responsible for each control, often detailed in Master Service Agreements (MSAs) or Data Processing Agreements (DPAs).

Third-Party Validation: Independent validation through QSA assessments or approved scanning vendors ensures that compliance claims are verified by qualified professionals.

Implementation Steps

Step 1: Inventory Your Payment Ecosystem (Week 1-2)

Create a comprehensive map of all parties involved in your payment processing:

  • Payment processors and gateways
  • Cloud hosting providers
  • Third-party applications that touch cardholder data
  • Network service providers
  • Any outsourced operations that could affect cardholder data security

Step 2: Collect Compliance Documentation (Week 2-4)

Request current compliance documentation from each service provider:

  • Attestation of Compliance (AOC)
  • Service Organization Control (SOC) reports
  • Penetration testing reports
  • Vulnerability scan results
  • Any DESV documentation for cloud providers

Step 3: Create Responsibility Matrices (Week 3-5)

Develop detailed matrices that map each PCI DSS requirement to the responsible party. Include:

  • Primary responsibility assignments
  • Shared responsibility areas
  • Dependencies between parties
  • Escalation procedures for compliance issues

Step 4: Gap Analysis and Risk Assessment (Week 5-6)

Identify areas where:

  • Responsibilities are unclear or overlapping
  • No party is explicitly responsible (compliance gaps)
  • Additional controls are needed to address residual risks
  • Your organization needs to implement compensating controls

Step 5: Formalize Agreements (Week 6-8)

Update contracts and service agreements to include:

  • Explicit PCI DSS compliance requirements
  • Responsibility matrices as contract exhibits
  • Incident response and breach notification procedures
  • Right to audit or review compliance documentation
  • Termination clauses for compliance failures

Timeline Expectations

Most organizations can complete a thorough shared responsibility assessment within 6-8 weeks. However, larger enterprises with complex vendor ecosystems may require 3-4 months for comprehensive documentation and agreement updates.

Resources Needed

  • Internal Team: Information security, legal, procurement, and business stakeholders
  • External Resources: May include QSA consultation for complex scenarios
  • Documentation Tools: Vendor management platforms or document management systems
  • Budget: Plan for potential service upgrades if vendors cannot meet compliance requirements

Best Practices

Industry Recommendations

Implement a Vendor Risk Management Program: Establish formal processes for evaluating, onboarding, and monitoring service providers. This should include initial PCI Vendor Management:, ongoing compliance monitoring, and annual reviews.

Use Standardized Questionnaires: Develop consistent security questionnaires that align with PCI DSS requirements. This ensures you collect the same compliance information from all vendors and can easily compare their security postures.

Establish Clear Communication Channels: Create formal processes for receiving compliance updates, incident notifications, and security alerts from service providers. Include these requirements in your contracts.

Efficiency Tips

Leverage Existing Compliance Programs: Many service providers already have robust compliance programs. Rather than duplicating efforts, focus on understanding how their controls address your compliance requirements.

Automate Compliance Monitoring: Use vendor management platforms that can automatically collect and track compliance documentation, send renewal reminders, and flag compliance gaps.

Standardize Contracts: Develop template contract language for PCI compliance requirements. This speeds up negotiations and ensures consistent protection across all vendor relationships.

Cost-Saving Strategies

Choose Validated Service Providers: Working with PCI-compliant service providers can significantly reduce your compliance scope and associated costs. The investment in higher-tier service providers often pays for itself through reduced compliance overhead.

Implement Network Segmentation: Properly segmenting your network to isolate cardholder data environments can reduce the scope of systems that need to meet PCI requirements, lowering both your costs and your vendors’ costs.

Negotiate Compliance Terms: Include compliance requirements in your initial vendor negotiations. It’s often easier and less expensive to address these requirements upfront rather than retrofitting them later.

Common Mistakes

What to Avoid

Assuming vendor compliance Equals Your Compliance: The most common mistake is believing that using PCI-compliant vendors automatically makes you compliant. Each party must address their specific responsibilities within the shared model.

Inadequate Documentation: Failing to document responsibility assignments creates confusion during assessments and can lead to compliance failures. Always maintain current, detailed responsibility matrices.

Ignoring Inherited Risks: When vendors have compliance gaps or incidents, these can directly impact your compliance posture. Don’t assume vendor compliance claims without verification.

How to Fix Issues

Conduct Regular Reviews: Establish quarterly reviews of vendor compliance status and annual comprehensive assessments. This helps identify issues before they become compliance failures.

Implement Compensating Controls: When vendors cannot fully address required controls, implement additional measures to achieve equivalent security. Document these thoroughly for your assessors.

Develop Incident Response Procedures: Create specific procedures for handling vendor-related security incidents, including communication protocols and customer notification requirements.

When to Escalate

Escalate vendor compliance issues when:

  • Vendors cannot provide current compliance documentation
  • Responsibility gaps are identified that neither party can address
  • Vendor compliance failures could impact your assessment
  • Contractual disputes arise over compliance responsibilities

Engage qualified security assessors or legal counsel when dealing with complex shared responsibility scenarios or when vendor relationships involve significant compliance risks.

Tools and Resources

Helpful Tools

Vendor Management Platforms: Solutions like ServiceNow Vendor Risk Management, ProcessUnity, or BitSight provide automated tools for collecting, tracking, and monitoring vendor compliance documentation.

Risk Assessment Templates: The PCI Security Standards Council provides guidance documents and templates for assessing shared responsibility scenarios, particularly for cloud environments.

Compliance Tracking Spreadsheets: For smaller organizations, well-designed spreadsheets can effectively track vendor compliance status, renewal dates, and responsibility assignments.

Templates and Checklists

Vendor Due Diligence Checklist:

  • [ ] Current AOC or compliance certification
  • [ ] Responsibility matrix for PCI DSS requirements
  • [ ] Incident response and notification procedures
  • [ ] Network architecture and segmentation documentation
  • [ ] Penetration testing and vulnerability scan results

Contract Language Templates:

  • PCI DSS compliance requirements and responsibilities
  • Right to audit and review compliance documentation
  • Incident notification timeframes and procedures
  • Termination rights for compliance failures
  • Indemnification for compliance-related damages

Professional Services

Qualified Security Assessors (QSAs): Can provide expert guidance on complex shared responsibility scenarios and validate that your approach meets PCI DSS requirements.

Legal Counsel: Essential for drafting and reviewing vendor contracts that include compliance requirements and for addressing disputes over responsibility assignments.

Vendor Management Consultants: Can help design and implement formal vendor risk management programs that align with PCI DSS requirements.

FAQ

Q: If my cloud provider is PCI compliant, does that make my application compliant too?
A: No. Cloud provider compliance typically covers infrastructure components (networks, servers, physical security), but you remain responsible for application security, access controls, and data handling within your environment. Always review the provider’s responsibility matrix to understand exactly what they cover.

Q: How often should I review vendor compliance documentation?
A: PCI compliance documentation should be reviewed annually at minimum, with quarterly checks for any changes or incidents. High-risk vendors or those handling large volumes of cardholder data may require more frequent reviews.

Q: What happens if a vendor loses their PCI compliance during our contract term?
A: Your contract should include specific procedures for this scenario. Typically, vendors have 30-90 days to remediate compliance issues. If they cannot restore compliance, you may need to implement compensating controls or find an alternative provider to maintain your own compliance.

Q: Can I rely on vendor self-attestations for compliance verification?
A: Self-attestations (SAQs) are acceptable for many vendor relationships, but you should verify that the SAQ type matches the vendor’s actual environment and services. For critical vendors, consider requiring third-party validation through QSA assessments.

Q: Who is responsible for PCI compliance when using payment processors?
A: This depends on your integration method. If you use hosted payment pages or tokenization services, the processor typically handles most PCI requirements. However, if cardholder data touches your systems at any point, you maintain specific compliance obligations. Always review the processor’s responsibility matrix and your merchant agreement.

Conclusion

Understanding PCI shared responsibility is fundamental to building a secure and compliant payment environment. The key is recognizing that compliance is truly a shared effort—no single party can or should bear all the responsibility, but each party must clearly understand and fulfill their specific obligations.

Successful shared responsibility management requires proactive vendor management, clear documentation, and ongoing monitoring. By implementing the strategies and best practices outlined in this guide, you can create a robust compliance framework that protects cardholder data while optimizing costs and operational efficiency.

Remember that shared responsibility isn’t just about dividing compliance tasks—it’s about creating a collaborative security culture where all parties work together to protect sensitive payment information. Regular communication, documented processes, and continuous monitoring are essential for maintaining this collaborative approach.

Ready to determine your specific PCI compliance requirements?

PCICompliance.com helps thousands of businesses achieve and maintain PCI DSS compliance with affordable tools, expert guidance, and ongoing support. Try our free PCI SAQ Wizard tool at PCICompliance.com to determine which Self-Assessment Questionnaire you need and start your compliance journey today. Our comprehensive platform will help you navigate the complexities of shared responsibility and ensure you’re meeting all your PCI DSS obligations effectively.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP