"PCI DSS 3.2, you are only as secure as your service provider…”

TalkingEDUSmall.jpgAn excellent resource for those of us who need the Readers Digest version of the ever evolving topic of payment card industry data security standards (PCI DSS) is PCI Guru (pciguru.wordpress.com). This site reflects the real life experiences and insight of a PCI Qualified Security Assessor. The site's creator and author chooses to remain anonymous (I assume to protect the guilty as well as the innocent). They bring common sense and plain language to what can quickly become an arcane subject.

With the release of PCI DSS 3.2 in April 2016, a hot topic emerged around the elevated requirements for third party service providers.

Third party service providers are organizations that directly process, store or transmit sensitive authentication data or cardholder data. My guess is that many of the readers of this post use a third party service provider in your institutions payment acceptance ecosystem.

PCI DSS 3.2 introduces several new requirements on third party service providers. Your organization needs to be up to speed on them. To get a comprehensive overview, check out PCI Guru’s article at:


…or you can dive in head first and study the 52 page “Information Supplement: Third Party Security Assurance” published by the PCI Security Standards Council at:


…search the document library for “Third Party”.

Remember, you are only as secure as your service provider!


Looking for more? Check out our library of resources.

Get Started