Few organizations handle their entire payment process alone. Most rely on third-party service providers — payment gateways, hosting companies, processors, and others — that store, process, or transmit cardholder data on their behalf or can affect its security. PCI DSS recognizes this reality and holds organizations responsible for managing these relationships, because a provider's lapse can undermine your own compliance and security.
This guide explains what a third-party service provider, or TPSP, is in PCI terms, your responsibilities for managing them, the due diligence and monitoring the standard expects, and how to document the relationship clearly. Managing TPSPs well is an often-overlooked but essential part of compliance, since your security is only as strong as the weakest provider in your payment chain. Handling it properly is part of a credible path to pci dss certification.
What a TPSP is
A third-party service provider, in PCI DSS terms, is an external company that stores, processes, or transmits cardholder data on your behalf, or that could affect the security of your cardholder data environment. This includes obvious players like payment processors and gateways, but also hosting providers, data centers, managed security services, and any vendor whose service touches or influences your payment systems.
The breadth of this definition catches many organizations by surprise. A cloud hosting provider that runs your payment application, or a support tool that could access systems handling card data, can both be TPSPs. Identifying every provider that fits the definition is the first step in managing them, because you cannot manage relationships you have not recognized as relevant to PCI DSS.
Why managing TPSPs matters
TPSPs matter because your compliance and security depend partly on them. If a provider handling your cardholder data is breached or non-compliant, the consequences flow to you — your data is exposed, your compliance is undermined, and you may bear responsibility. PCI DSS therefore makes managing these providers an explicit obligation rather than an optional good practice.
This shared responsibility is the heart of TPSP management. You cannot simply outsource a function and assume the provider has taken care of compliance entirely; you remain accountable for ensuring the providers you rely on are themselves compliant and secure. Managing TPSPs well protects both your data and your ability to demonstrate compliance, while neglecting it leaves a gap that a provider's failure can turn into your crisis.
Free resource
PCI DSS Policy Templates
Download our practical resource to fast-track your PCI DSS compliance.
Due diligence before engaging a provider
PCI DSS expects you to perform due diligence before engaging a service provider that will handle cardholder data or affect its security. This means assessing the provider's security posture and PCI DSS compliance status before entering the relationship, rather than discovering problems after the fact. A key part of this is obtaining and reviewing the provider's Attestation of Compliance.
Due diligence also involves understanding exactly what service the provider offers, how it interacts with your card data, and what security commitments it makes. A provider with a current, relevant Attestation of Compliance that covers the service you actually use gives you a foundation to rely on. One that cannot demonstrate compliance, or whose attestation does not cover the relevant service, is a risk you should weigh carefully before proceeding.
Maintaining a list of your TPSPs
PCI DSS requires organizations to maintain a list of the third-party service providers with which they share cardholder data or that could affect its security. This inventory is the foundation of TPSP management, because you cannot monitor or manage providers you have not catalogued. The list should capture each provider, the service they deliver, and their relevance to your cardholder data environment.
Keeping this list current is an ongoing task, since providers are added and removed as your business evolves. A new vendor that begins handling card data must be added; one no longer used should be removed. An accurate, maintained TPSP inventory both satisfies the requirement and gives you the visibility needed to manage the relationships responsibly over time.
Defining responsibilities clearly
One of the most important aspects of TPSP management is clarifying who is responsible for which PCI DSS requirements. When you share responsibility for a payment process with a provider, both parties must understand exactly which controls each is responsible for, so that nothing falls into a gap where neither party is managing it. PCI DSS expects this division of responsibility to be documented.
This responsibility matrix prevents the dangerous assumption that the other party is handling a given control. Many breaches and compliance failures stem from exactly this kind of gap, where both the organization and its provider each believed the other was responsible for a security measure. Documenting the split explicitly, and confirming both parties agree, closes this gap and is increasingly an expectation under the standard.
Ongoing monitoring of providers
Managing TPSPs does not end at engagement; PCI DSS expects ongoing monitoring of providers' compliance status. This means periodically confirming that each provider's Attestation of Compliance remains current and continues to cover the relevant service. A provider whose attestation lapses, or whose compliance status changes, can quietly undermine your own compliance if you do not notice.
Establishing a process to track provider attestations — their expiry dates, their scope, and any changes — turns monitoring from an afterthought into a routine. Because you rely on providers' compliance to support your own scope reductions and security, keeping current on their status is a genuine compliance task, not a formality, and one that protects you from inheriting a provider's failure.
Contracts and written agreements
PCI DSS expects the relationship with TPSPs that handle cardholder data to be governed by written agreements that include the providers' acknowledgment of their responsibility for the security of the cardholder data they handle. These contractual commitments formalize the provider's obligations and your shared understanding of who is responsible for what.
Such agreements protect both parties and provide evidence for your own assessment. They make explicit that the provider accepts responsibility for the relevant security, which both reinforces the relationship and gives you something concrete to point to when demonstrating that you manage your providers properly. Reviewing and updating these agreements as services change keeps them aligned with reality.
Common TPSP management mistakes
The most common mistake is assuming that outsourcing a function entirely removes your responsibility — it reduces your scope but rarely eliminates your accountability for managing the provider. Another is failing to maintain a current list of providers, so some relationships go unmanaged. Not obtaining or tracking providers' attestations, and leaving responsibilities undocumented, also create gaps.
These mistakes share a root cause: treating providers as a way to make compliance someone else's problem. In reality, PCI DSS makes managing providers your problem. Recognizing this and putting in place the inventory, due diligence, responsibility matrices, monitoring, and agreements the standard expects turns TPSP management from a blind spot into a well-controlled part of your program.
How ISpectra helps you manage TPSPs
Managing third-party service providers properly — inventorying them, performing due diligence, dividing responsibilities, monitoring their status, and documenting the relationships — is an essential but easily overlooked part of compliance. ISpectra Technologies helps organizations build and maintain this TPSP management, ensuring the providers you rely on genuinely support rather than undermine your compliance.
With free vulnerability assessment and penetration testing to validate your own environment and a 10% discount when PCI DSS is bundled with SOC 2 or ISO 27001, ISpectra helps you address the full picture — your systems and the providers connected to them — so that no part of your payment chain becomes the weak link that compromises your compliance.
Free consultation
Need help with PCI DSS?
Talk to our certified compliance team — we’ve supported 200+ audits.