Third-party service providers are validated for PCI compliance

ab-001196 · ecommerce-pci.monitoring-compliance.vendor-compliance

Severity: lowactive

Why it matters

PCI-DSS 4.0 Req 12.8 requires that policies and procedures for managing service providers who handle cardholder data are documented and implemented; Req 12.8.4 requires that the compliance status of service providers is monitored at least annually. Every third-party service that touches your CDE — payment processor, hosting provider, monitoring platform — extends your PCI scope. If Stripe, AWS, or a logging vendor has a compliance gap you haven't verified, that gap becomes your liability. ISO 27001:2022 A.5.19 and SOC 2 CC9.2 both require third-party risk management as a formal program.

Severity rationale

Low because vendor compliance gaps require both the vendor being compromised and your systems being affected — the risk is real but mediated by the vendor's own controls, placing direct impact one step removed.

Remediation

Create docs/vendor-compliance.md listing every third-party service that accesses or processes cardholder data, with its compliance status, AOC or SOC 2 report reference, and last review date. Review and update this document at least annually per Req 12.8.4.

| Vendor  | Role                | Compliance        | Last Verified |
|---------|---------------------|-------------------|---------------|
| Stripe  | Payment processing  | PCI DSS Level 1   | 2026-01-30    |
| AWS     | Infrastructure      | SOC 2 Type II     | 2026-01-15    |
| Datadog | Monitoring          | PCI DSS Level 1   | 2026-01-20    |

For each vendor, download their AOC or SOC 2 report annually from their security portal (Stripe: stripe.com/docs/security, AWS: aws.amazon.com/compliance) and store a reference in the table. Add a calendar reminder to repeat this review before your annual PCI assessment.

Detection

ID: vendor-compliance
Severity: low
What to look for: Enumerate all third-party services used in the project by scanning package.json dependencies, infrastructure configs, and environment variable patterns. Count the total number of third-party vendors that handle or access cardholder data (payment processors, hosting, monitoring, database services). Search for vendor compliance documentation (look for "vendor", "compliance", "third-party" in docs/). For each vendor found, check whether compliance status (AOC, SAQ, SOC 2) is documented.
Pass criteria: At least 1 vendor compliance documentation file exists. The document lists at least 2 third-party vendors with their compliance status (AOC, SAQ type, SOC 2 report). At least 1 vendor has a documented last review date. Report: "X vendors documented, Y with compliance status, Z with review dates."
Fail criteria: No vendor compliance documentation found (0 files), or vendors are listed without compliance status verification, or fewer than 2 vendors documented.
Skip (N/A) when: Only 1 payment processor used (e.g., Stripe only) with no other third-party services handling cardholder data, and that processor is PCI Level 1 certified.
Detail on fail: Specify the gap. Example: "0 vendor compliance documentation files found. 4 third-party services detected in package.json (stripe, datadog, supabase, sendgrid) with no compliance tracking." or "docs/vendors.md lists 3 vendors but 0 have documented compliance status or review dates."

Remediation: Create and maintain vendor compliance documentation. Create docs/vendor-compliance.md:

# Third-Party Vendor Compliance Assessment

## Vendors Handling Cardholder Data

| Vendor | Service | Compliance Status | AOC/SAQ | Last Review | Notes |
|--------|---------|-------------------|---------|-------------|-------|
| Stripe | Payment Processing | Level 1 PCI DSS | AOC (Annual) | 2025-11-30 | Fully compliant |
| Datadog | Monitoring | Level 1 PCI DSS | AOC (Annual) | 2025-10-15 | Compliant, no card data stored |
| AWS | Infrastructure | SOC 2 Type II | Report (Annual) | 2025-12-01 | Compliant, encryption enabled |
| SendGrid | Email Notifications | SOC 2 Type II | Report (Annual) | 2025-09-30 | No card data, compliant |

## Vendor Onboarding Checklist
- [ ] Verify PCI DSS compliance (request AOC or SAQ)
- [ ] Confirm data handling procedures
- [ ] Review security policies
- [ ] Confirm incident notification procedures
- [ ] Document compliance status in this file
- [ ] Schedule annual compliance review

## Vendor Risk Assessment
- **Stripe**: No risk — PCI Level 1, all card data handled by Stripe
- **AWS**: Low risk — Infrastructure compliant, we control encryption keys
- **Datadog**: Low risk — No cardholder data stored, monitoring only

External references

pci-dss:4.0 · Req 12.8 — Risk to information assets associated with third-party service provider (TPSP) relationships is managed
pci-dss:4.0 · Req 12.8.4 — A program is implemented to monitor TPSPs' PCI DSS compliance status at least once every 12 months
iso-27001:2022 · A.5.19 — Information security in supplier relationships
soc2:2017 · CC9.2 — Manages Changes to Vendor and Business Partner Relationships

Taxons

regulatory-conformance

History

2026-04-18·v1.0.0·Initial import from ecommerce-pci·automated

Why it matters

Remediation

| Vendor  | Role                | Compliance        | Last Verified |
|---------|---------------------|-------------------|---------------|
| Stripe  | Payment processing  | PCI DSS Level 1   | 2026-01-30    |
| AWS     | Infrastructure      | SOC 2 Type II     | 2026-01-15    |
| Datadog | Monitoring          | PCI DSS Level 1   | 2026-01-20    |

Detection

ID: vendor-compliance
Severity: low
What to look for: Enumerate all third-party services used in the project by scanning package.json dependencies, infrastructure configs, and environment variable patterns. Count the total number of third-party vendors that handle or access cardholder data (payment processors, hosting, monitoring, database services). Search for vendor compliance documentation (look for "vendor", "compliance", "third-party" in docs/). For each vendor found, check whether compliance status (AOC, SAQ, SOC 2) is documented.
Pass criteria: At least 1 vendor compliance documentation file exists. The document lists at least 2 third-party vendors with their compliance status (AOC, SAQ type, SOC 2 report). At least 1 vendor has a documented last review date. Report: "X vendors documented, Y with compliance status, Z with review dates."
Fail criteria: No vendor compliance documentation found (0 files), or vendors are listed without compliance status verification, or fewer than 2 vendors documented.
Skip (N/A) when: Only 1 payment processor used (e.g., Stripe only) with no other third-party services handling cardholder data, and that processor is PCI Level 1 certified.
Detail on fail: Specify the gap. Example: "0 vendor compliance documentation files found. 4 third-party services detected in package.json (stripe, datadog, supabase, sendgrid) with no compliance tracking." or "docs/vendors.md lists 3 vendors but 0 have documented compliance status or review dates."

Remediation: Create and maintain vendor compliance documentation. Create docs/vendor-compliance.md:

# Third-Party Vendor Compliance Assessment

## Vendors Handling Cardholder Data

| Vendor | Service | Compliance Status | AOC/SAQ | Last Review | Notes |
|--------|---------|-------------------|---------|-------------|-------|
| Stripe | Payment Processing | Level 1 PCI DSS | AOC (Annual) | 2025-11-30 | Fully compliant |
| Datadog | Monitoring | Level 1 PCI DSS | AOC (Annual) | 2025-10-15 | Compliant, no card data stored |
| AWS | Infrastructure | SOC 2 Type II | Report (Annual) | 2025-12-01 | Compliant, encryption enabled |
| SendGrid | Email Notifications | SOC 2 Type II | Report (Annual) | 2025-09-30 | No card data, compliant |

## Vendor Onboarding Checklist
- [ ] Verify PCI DSS compliance (request AOC or SAQ)
- [ ] Confirm data handling procedures
- [ ] Review security policies
- [ ] Confirm incident notification procedures
- [ ] Document compliance status in this file
- [ ] Schedule annual compliance review

## Vendor Risk Assessment
- **Stripe**: No risk — PCI Level 1, all card data handled by Stripe
- **AWS**: Low risk — Infrastructure compliant, we control encryption keys
- **Datadog**: Low risk — No cardholder data stored, monitoring only

External references

pci-dss:4.0 · Req 12.8 — Risk to information assets associated with third-party service provider (TPSP) relationships is managed

pci-dss:4.0 · Req 12.8.4 — A program is implemented to monitor TPSPs' PCI DSS compliance status at least once every 12 months

iso-27001:2022 · A.5.19 — Information security in supplier relationships

soc2:2017 · CC9.2 — Manages Changes to Vendor and Business Partner Relationships