This message was posted by a user wishing to remain anonymous
My two cents as a TPRM manager who has been preparing audit evidence for PCI DSS controls 12.8.1-12.8.5 for quite some time:
I agree with Dave that the NDA is meant to ensure privacy of information between both parties. So there shouldn't be a holdup in their ability to provide this type of information...it's standard practice across our industry.
Depending on the type of service provider and how they handle PCI data (access, store, process, transmit, or can affect the security of it) the PCI DSS AOC is generally the optimal evidence material to acquire, but typically for merchants you'll expect them to provide a PCI DSS SAQ A, PCI DSS SAQ-E or PCI DSS SAQ-D. If none of these then have them sign a Data Protection Agreement as an addendum to the service agreement. Your Legal counsel should be involved in the development of that material.
Last ditch effort I'd recommend is checking the VISA global registry of validated PCI providers, and using that as evidence if no other means help you achieve your desired outcome here:
https://www.visa.com/splisting/searchGrsp.do
Original Message:
Sent: 02-10-2022 09:25 AM
From: Dave Howe
Subject: PCI Vendors
As someone without any skin in the game, this would be a flag for me.
Due diligence is something that we need to do prior to signing a contract. It's policy, and it's reasonable. They are in essence asking you to sign on the dotted line before you know anything about them.
That said, I understand their desire to protect their information. That's what an NDA would be for, to allow you to do a legitimate review of controls and processes so that you can make a good decision.
It does surprise me how often companies make this rather standard request into such a roadblock.
Thanks,
Dave
David Howe, CCUFC
Chief Information Officer
Original Message:
Sent: 2/9/2022 4:11:00 PM
From: Anonymous Member
Subject: PCI Vendors
This message was posted by a user wishing to remain anonymous
Good afternoon all,
What due diligence do you obtain from a new potential PCI solution?
We are getting real kick back on our request. We have a potential provider who is not willing to provide any control documentation for our review, not even their SOC or AOC until we sign the merchant agreement.
I would appreciate insight into how you all review new PCI solutions or how you have handled a similar situation.