PCI DSS 4.0: Third-Party Service Providers & Risk Management

Key Takeaways | PCI DSS 4.0: Third-Party Service Providers and Risk Management


PCI DSS 4.0 brings major changes to payments with an increased focus on technical controls, targeted risk analysis, organizational maturity and governance. With PCI DSS 4.0 timelines fast approaching, new robust obligations regarding Third-Party Service Providers (TPSPs) will take longer than anticipated for organizations to comply with PCI DSS 4.0.

During this installment of our PCI DSS 4.0 webinar series, Alan Gutierrez-Arana of Mazars US joined McDermott privacy & cybersecurity lawyers Todd McClelland and Mark Schreiber to review how merchants identify, vet and monitor their Third-Party Service Providers (TPSPs). They also addressed issues from the provider side.

Key takeaways included:

  1. PCI DSS 4.0 Requirement 12.8 implements difficult changes in a short time. The updated requirements will be implemented from March 31, 2024, less than one year from now. Customers must quickly maintain a comprehensive registry of all TPSPs and rigorously supervise their compliance status. This obligation entails contract review/modifications and adding compliance measures, such as mandatory reporting, that demand due diligence and time. Some TPSPs may balk at contract changes or the new obligations, requiring finding a new vendor.
  2. Using or outsourcing to a compliant TPSP does not automatically certify the customer as compliant. Compliance cannot be outsourced. Merchants/customers remain responsible for their own PCI compliance. In the event of a breach, the merchant bears the ultimate responsibility.
  3. PCI DSS Version 4 introduces substantial modifications. New definitions require changes to contracts and a basic understanding of PCI, including the redefined roles of Service Providers and TPSPs. Newly added regulations must be understood by merchants who may have outsourced all PCI compliance and conveyed to all their TPSPs.


Alan Gutierrez-Arana, Principal at Mazars US

Dig Deeper

Cambridge, United Kingdom / Speaking Engagements / July 1-3, 2024

Privacy Laws & Business | 37th International Conference

Trier, Germany / Speaking Engagements / June 3-12, 2024

ERA Young Lawyers European Academy

Los Angeles, CA / Speaking Engagements / June 6-7, 2024

USC Gould / Analysis Group Global Competition Law Thought Leadership Conference

Webinar / McDermott Event / June 6, 2024

EU Data Act | Impact for Japanese Companies

Washington, DC / Speaking Engagements / May 8-10, 2024

2024 Privacy + Security Spring Academy

Get In Touch