GRCWatch
Sign inStart free trial

PCI DSS 12.8.3: Due Diligence Before Third-Party Service Provider Engagement

Third-party service providers represent a significant attack surface for your payment card environment. PCI DSS 12.8.3 requires you to establish and document a formal due diligence process before engaging any TPSP that handles, stores, or transmits card data. Without proper vetting, you inherit their security gaps and compliance failures.

What this means

PCI DSS 12.8.3 mandates that organizations create a documented, repeatable process for evaluating third-party service providers before onboarding them. This goes beyond casual vendor selection—you must assess their security posture, compliance status, incident history, and ability to meet PCI DSS requirements. The due diligence process becomes your first line of defense against supply chain compromises.

How to comply

  1. 1.Document your TPSP due diligence policy, including evaluation criteria and approval workflows
  2. 2.Require vendors to provide evidence of PCI DSS compliance (attestation letter, certification level, or audit reports)
  3. 3.Assess vendor security controls, encryption practices, and data handling procedures relevant to your environment
  4. 4.Review vendor incident history, breach notifications, and regulatory enforcement actions
  5. 5.Evaluate vendor contracts for security obligations, liability terms, and breach notification requirements
  6. 6.Verify vendor's ability to support your specific security requirements and maintain compliance standards
  7. 7.Document all due diligence findings and maintain vendor risk assessment records
  8. 8.Conduct periodic re-evaluations of existing TPSPs to ensure ongoing compliance

Evidence auditors look for

  • TPSP due diligence checklist or evaluation form with signed approval
  • Vendor PCI DSS compliance certificates or attestation letters (AOC, ROC, ASV reports)
  • Vendor security questionnaire responses or SOC 2 reports
  • Vendor contracts with security and compliance clauses
  • Risk assessment documentation for each TPSP
  • Vendor compliance status tracking spreadsheet
  • Documentation of vendor re-evaluation reviews and updates

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates vendor due diligence workflows by centralizing compliance documentation collection, tracking attestation statuses, and flagging expired certifications—eliminating manual tracking and ensuring no TPSP slips through your evaluation process.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 12.8.1 - TPSP List MaintenancePCI DSS 12.8.2 - Maintain TPSP ContractsPCI DSS 12.8.4 - Vendor Monitoring and Management