Key Takeaways | PCI DSS 4.0: Third-Party Service Providers and Risk Management - McDermott Will & Emery

Key Takeaways | PCI DSS 4.0: Third-Party Service Providers and Risk Management


PCI DSS 4.0 brings major changes to payments with an increased focus on technical controls, targeted risk analysis, organizational maturity and governance. With PCI DSS 4.0 timelines fast approaching, new robust obligations regarding Third-Party Service Providers (TPSPs) will take longer than anticipated for organizations to comply with PCI DSS 4.0.

During this installment of our PCI DSS 4.0 webinar series, Alan Gutierrez-Arana of Mazars US joined McDermott privacy & cybersecurity lawyers Todd McClelland and Mark Schreiber to review how merchants identify, vet and monitor their Third-Party Service Providers (TPSPs). They also addressed issues from the provider side.

Key takeaways included:

  1. PCI DSS 4.0 Requirement 12.8 implements difficult changes in a short time. The updated requirements will be implemented from March 31, 2024, less than one year from now. Customers must quickly maintain a comprehensive registry of all TPSPs and rigorously supervise their compliance status. This obligation entails contract review/modifications and adding compliance measures, such as mandatory reporting, that demand due diligence and time. Some TPSPs may balk at contract changes or the new obligations, requiring finding a new vendor.
  2. Using or outsourcing to a compliant TPSP does not automatically certify the customer as compliant. Compliance cannot be outsourced. Merchants/customers remain responsible for their own PCI compliance. In the event of a breach, the merchant bears the ultimate responsibility.
  3. PCI DSS Version 4 introduces substantial modifications. New definitions require changes to contracts and a basic understanding of PCI, including the redefined roles of Service Providers and TPSPs. Newly added regulations must be understood by merchants who may have outsourced all PCI compliance and conveyed to all their TPSPs.


Alan Gutierrez-Arana, Principal at Mazars US

Dig Deeper

Rancho Palos Verdes, CA / Speaking Engagements / February 26-28, 2024

2024 CPG Legal Forum

Miami Beach, FL / Speaking Engagements / February 12-14, 2024

NetDiligence Cyber Risk Summit

St. Pete Beach, FL / Speaking Engagements / February 5-7, 2024

The 2nd Annual PromoStandards Tech Summit

New York, NY / McDermott Event / January 30, 2024

Raising Capital in 2024: Navigating New Opportunities

Tokyo, Japan / McDermott Event / January 17, 2024

2024 McDermott International Seminar in Japan

Get In Touch