Third-Party Service Providers
Software vendors often rely on outsourced, third-party service providers for certain software lifecycle management functions—e.g., for software development (excluding the use of open-source code), performing code reviews or other testing of the software vendor’s software, hosting for the software vendor’s software development or delivery platforms, or integrating and installing the software vendor’s products.
Where a third-party service can affect the software vendor’s software lifecycle management practices or the security of the software vendor’s software, the applicable PCI Secure SLC requirements will need to be identified and implemented for that service. The software vendor and service provider will need to understand which software lifecycle management functions are affected by the service provider and identify which PCI Secure SLC Requirements are the responsibility of the service provider and which are the responsibility of the software vendor.
The software vendor is expected to have processes in place to manage risks associated with third-party service providers, including (as applicable for each service):
- Performing due diligence prior to engagement;
- Clear definition of security responsibilities;
- Periodic verification that agreed-upon responsibilities are being met; and
- A written agreement to ensure both parties understand and acknowledge their security responsibilities.
While the ultimate responsibility for the security of the software lies with the software vendor, service providers may be required to demonstrate compliance with the applicable PCI Secure SLC Requirements based on the provided service. The service provider may do so by either:
(a) Undergoing its own PCI Secure SLC assessment for the applicable product(s) or service(s) provided to the software vendor, and providing evidence to the software vendor that demonstrates its compliance to the applicable Secure SLC requirements for that product/service; or
(b) Having the applicable product(s) or service(s) included in the software vendor’s PCI Secure SLC assessment, and allowing the software vendor’s assessor to evaluate whether the product/service meets the applicable PCI Secure SLC Requirements.
The evidence provided by service providers should be sufficient to verify that the scope of the service provider’s PCI Secure SLC assessment covers the services applicable to the software vendor’s software lifecycle management practices, and that the relevant PCI Secure SLC Requirements were validated. The specific type of evidence provided will depend on how the assessments are managed. For example, if the service provider undergoes its own PCI Secure SLC assessment, the resulting Report on Compliance (ROC) could provide some or all of the information needed by the software vendor’s assessor to validate applicable PCI Secure SLC Requirements. If the service is being included in the software vendor’s PCI Secure SLC assessment, the evidence provided would be determined by the control objectives being assessed and the test requirements for those control objectives.
