Service Provider Management

New Service Providers

MDRPs must complete this checklist for each new Service Provider and on an annual basis.

Proposed service providers with a payment card component, or that can impact the security of payment card data, must provide the following documentation, and meet the below requirements, to be considered a Service Provider for Middlebury:

• Card-present and card-not present solutions must be listed as a P2PE validated solution by the PCI SSC. Service Provider must provide the PCI SSC Validation number. 
• E-commerce solution: Preferred providers should be a PCI Service Provider Level 1.
• Solutions must integrate with our existing payment gateways (Bluefin’s PayConex and CyberSource).
• Provide either a current V3.2 Self Assessment Questionnaire D-Service Provider Attestation of Compliance (AOC) or an On-Site Assessment AOC for Service Providers. SAQ D-Service Provider is the only applicable SAQ for a service provider. The AOC must be for the Service Provider we are contracting with, the Service Provider cannot rely on third party service provider’s compliance.
• The AOC must be filled out completely and specifically note assessment of the service being provided.
• Proof of recent passing quarterly ASV scan and annual Penetration testing.
• Service Provider must complete the Security Survey.
• Matrix of PCI Responsibilities Service Provider is responsible for (AOC section 2g)
• Contract/Written agreement must include the Data Privacy and Breach Notification language.

Annual Service Provider Management

MDRPs must perform annual Service Provider due diligence on an annual basis or upon significant changes with the Service Provider. Use this form.

The MDRP should collaborate with the Service Provider to receive the current compliance document prior to the expiration of the documentation on file. The following documentation is to be forwarded to the PCI Compliance Team annually:

• Service Providers must provide either a V3.2 SAQ D-Service Provider AOC or a V3.2 On-Site Assessment AOC for Service Providers. See below for documents.
• The AOC submitted must be completely filled out and specifically note assessment for the services being provided.
• Verify the PCI P2PE validation on PCI SSC (card present solutions).

A current and comprehensive list of Service Providers must be maintained by Middlebury. MDRP’s must keep a list of Service Providers they are responsible for managing. The comprehensive list will be maintained by the PCI Compliance team and will contain the following information:

• Service Provider Name
• Service being provided-description
• PCI Validation Required
• Specific PCI requirements responsible for (noted in the AOC)
• Validation Date
• Expiration Date
• Assessor
• Merchant Department/Functional Area

The comprehensive list of Service Providers is maintained at Service Provider Matrix and AOC Tracker. All MDRP’s have been granted read access to the spreadsheet.

Service Provider Documents

• SAQD - Service Provider marked up noting required sections
• SAQD - Service Provider entire document (TEMPLATE REQUIRED ANNUALLY)