PCI DSS v4.0: An Open Letter to PCI Third-Party Service Providers

Article PCI DSS

Vendor Review

We are less than six months away from PCI DSS version 3.2.1 retiring at the end of Q1 2024. As your organization finalizes migration plans for moving to PCI DSS version 4.0, vendor oversight should be a top priority.

The central PCI team should be tracking the compliance status of all third-party service providers (TPSPs) involved in the payment process. Per the PCI SSC, there are two parts to the PCI Service Provider definition: 1) An entity who transmits, processes, or stores cardholder data on behalf of another entity, and/or 2) An entity that provides services that control or could impact the security of cardholder data (Note: This includes being able to affect the security of the process).

CampusGuard recommends reaching out to your vendor list now to ensure their teams are on track for meeting new PCI DSS v4.0 requirements and confirm they will be able to provide your organization with the necessary, updated compliance documentation in 2024.

Below is some sample language your departments and teams can reference and customize as needed for each vendor. Begin this communication with your vendor representatives sooner rather than later so you aren’t caught off guard next year if and when a third party is unable to provide the relevant documentation.

Hello [Vendor Contact],

As a contracted service provider for [Department] within [Organization] involved in payment card processing, you are required to provide [Organization] with an updated PCI Attestation of Compliance (AOC) annually. Your last AOC was completed [DATE], so please provide your updated AOC for this year.

This annual requirement was referenced in the original contract: [Contract reference]

If your application re-directs to or is integrated with a compliant payment processor (i.e., PayPal, Authorize.net, Stripe, etc.), [Organization] does still require your organization to provide a separate Attestation of Compliance due to the fact that you can impact the security of the payment process.

PCI DSS Version 4.0 will be in effect on March 31, 2024. Any AOCs completed after that date must be performed using version 4.0. Requirement 12.9.2 of the DSS also requires third-party service providers to provide information to customers regarding their own PCI compliance and a breakdown of customer versus vendor responsibilities. Attached is an example responsibility matrix that can be used as needed to outline the responsibilities for meeting each DSS requirement between each party (Vendor or Organization), or shared responsibilities.

Please provide the requested AoC and responsibility matrix to [Contact info].

If you have any questions, please let us know.

Thank you,
[Department Contact]

If you would like a copy of the updated version 4.0, 12.9.2 TPSP Responsibility Matrix please reach out to your dedicated CRM team. Many of the larger service providers will have a matrix readily available as they understand it is a requirement for doing business. However, the smaller vendors may not be abiding by this requirement yet and will welcome a template to help get them started.

As always, your dedicated QSA from CampusGuard can assist with these third-party conversations, and help review and define the vendor’s role in securing the overall payment process. A QSA can also help review current third-party contract language and contracts, and provide guidance on any necessary updates as we move to version 4.0.

Contact us if you need any assistance.

Additional feedback from one of our Security Advisors:

[Smith]: Migrating to PCI DSS v4.0 is a great opportunity to review how you manage Third-Party Service Providers (TPSPs). You should reach out to each TPSP representative with the goal of building a solid relationship. It’s important to document all communications you have with them throughout this process. Keep in mind that this will be a big change for some of the smaller TPSPs, so patience from both parties will play a big role in hitting that target before March 31, 2024. If you do receive pushback along the way and need assistance communicating the importance of this change, CampusGuard is always available to provide additional guidance.


About the Author
Katie Johnson

Katie Johnson


Manager, Operations Support

As the manager of Operations Support, Katie leads the team responsible for supporting and delivering CampusGuard services including online training, vulnerability scanning, and the CampusGuard Central® portal. With over 15 years of experience in information security awareness training, Katie is also the Product Lead for CampusGuard’s online training services. As a Senior Customer Relationship Manager for a limited number of customers, Katie assists organizations with their information security and compliance programs and is responsible for coordinating the various teams involved.