E-Commerce

PCI DSS Service Provider Standard

Last modified 1/8/2025

Purpose

The purpose of this standard is to establish secure and compliant guidelines for managing Payment Card Industry (PCI) service providers. PCI service providers process, transmit, and manage extremely sensitive cardholder data (CHD) and are a prime target for attackers, as the processing of cardholder data creates a significant business-critical exposure, and compromised cardholder data is easily monetized by attackers.

By implementing this standard, the University seeks to ensure compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) and mitigate risks posed by service providers. This approach balances providing effective guidance for managing service providers while allowing University units freedom to maintain individual processes and procedures.

Scope

This standard applies to all merchants, support teams, and service providers participating in payment card processing. This standard exclusively applies to merchants, support teams, and service providers governed by the Payment Card Industry Data Security Standard.

Standard

The E-Commerce Committee must maintain and follow documented processes and/or procedures to meet the following criteria:

  1. A list of all third-party service providers (TPSPs) with which account data is shared or that could affect the security of account data is maintained, including a description for each of the services provided.
  2. Written agreements with TPSPs are maintained as follows:
    1. Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE.
    2. Written agreements include acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity’s CDE.
  3. An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement.
  4. A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months.
  5. Information is maintained about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any that are shared between the TPSP and the entity.

Exceptions

While this standard is intended to apply comprehensively, there may be instances where departments are unable to meet the full requirements. In such cases, exceptions must be formally requested and reviewed.

Requests for exceptions must be submitted to Payment Card Support2 through the university’s ticketing system or by emailing paymentcardsupport@ilstu.edu. Each request must include:

  • The information technology team and functional business units associated with the exception request
  • Device or process/procedure identifiers affected by the exception
  • A detailed use case explaining why the exception is necessary and what compensating security controls, if any, will be implemented

Payment Card Support, Information Security Office, and the E-Commerce Committee will mutually review all exception requests in accordance with the Information Security Program's exception management process. Approval will be granted only when it is determined that operational needs outweigh the security risks, and where appropriate compensating controls are in place to mitigate those risks. All approved exceptions will be documented, periodically reviewed, and may be subject to additional security monitoring.

Additional Information

Footnotes

The following information provides supporting information referenced in the other sections of this document:

  1. Payment card industry (PCI) definitions are maintained by the PCI Security Standards Council (SSC) at the PCI SSC website Glossary including Web Redirection Server, Payment Cards, Payment Card Industry Data Security Standard (PCI DSS), Point of Interaction (POI), Point-to-Point Encryption (P2PE), Self Assessment Questionnaire (SAQ), and more.
  2. Payment Card Support: The cross-functional support team for PCI DSS and payment card devices. You may contact a team member directly, submit a ticket to Payment Card Support, or email paymentcardsupport@ilstu.edu. 

Supporting References

The following information provides supporting references that informed the development of this standard:

https://policy.illinoisstate.edu/technology/9-8/

https://policy.illinoisstate.edu/technology/9-1/

https://policy.illinoisstate.edu/fiscal/cashier/7-5-2/

https://policy.illinoisstate.edu/technology/9-2-2/

https://listings.pcisecuritystandards.org/documents/PCI-DSS-v4-0-SAQ-A.pdf

https://listings.pcisecuritystandards.org/documents/PCI-DSS-v4-0-SAQ-P2PE.pdf

https://www.pcisecuritystandards.org/glossary/

PCI DSS Guidance

Illinois State University complies with the PCI DSS framework to ensure our cybersecurity measures effectively meet compliance and mitigate risks associated with payment card processing. PCI DSS requirements relevant to this standard are documented here.

12.1.1 An overall information security policy is: Established, Published, Maintained, Disseminated to all relevant personnel, as well as to relevant vendors and business partners.

12.1.2 The information security policy is: Reviewed at least once every 12 months, and Updated as needed to reflect changes to business objectives or risks to the environment.

12.1.3 The security policy clearly defines information security roles and responsibilities for all personnel, and all personnel are aware of and acknowledge their information security responsibilities.

12.6.1 A formal security awareness program is implemented to make all personnel aware of the entity’s information security policy and procedures, and their role in protecting the cardholder data.

12.8.1 A list of all third-party service providers (TPSPs) with which account data is shared or that could affect the security of account data is maintained, including a description for each of the services provided.

12.8.2 Written agreements with TPSPs are maintained as follows: Written agreements are maintained with all TPSPs with which account data is shared or that could affect the security of the CDE. Written agreements include acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the security of the entity’s CDE.

12.8.3 An established process is implemented for engaging TPSPs, including proper due diligence prior to engagement.

12.8.4 A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months.

12.8.5 Information is maintained about which PCI DSS requirements are managed by each TPSP, which are managed by the entity, and any that are shared between the TPSP and the entity

12.10.1 An incident response plan exists and is ready to be activated in the event of a suspected or confirmed security incident. The plan includes, but is not limited to:

  • Roles, responsibilities, and communication and contact strategies in the event of a suspected or confirmed security incident, including notification of payment brands and acquirers, at a minimum. 
  • Incident response procedures with specific containment and mitigation activities for different types of incidents.
  • Business recovery and continuity procedures.
  • Data backup processes.
  • Analysis of legal requirements for reporting compromises.
  • Coverage and responses of all critical system components.
  • Reference or inclusion of incident response procedures from the payment brands.