PCI-DSS 4.0 Req 12.8 requires that policies and procedures for managing service providers who handle cardholder data are documented and implemented; Req 12.8.4 requires that the compliance status of service providers is monitored at least annually. Every third-party service that touches your CDE — payment processor, hosting provider, monitoring platform — extends your PCI scope. If Stripe, AWS, or a logging vendor has a compliance gap you haven't verified, that gap becomes your liability. ISO 27001:2022 A.5.19 and SOC 2 CC9.2 both require third-party risk management as a formal program.
Low because vendor compliance gaps require both the vendor being compromised and your systems being affected — the risk is real but mediated by the vendor's own controls, placing direct impact one step removed.
Create docs/vendor-compliance.md listing every third-party service that accesses or processes cardholder data, with its compliance status, AOC or SOC 2 report reference, and last review date. Review and update this document at least annually per Req 12.8.4.
| Vendor | Role | Compliance | Last Verified |
|---------|---------------------|-------------------|---------------|
| Stripe | Payment processing | PCI DSS Level 1 | 2026-01-30 |
| AWS | Infrastructure | SOC 2 Type II | 2026-01-15 |
| Datadog | Monitoring | PCI DSS Level 1 | 2026-01-20 |
For each vendor, download their AOC or SOC 2 report annually from their security portal (Stripe: stripe.com/docs/security, AWS: aws.amazon.com/compliance) and store a reference in the table. Add a calendar reminder to repeat this review before your annual PCI assessment.
ID: ecommerce-pci.monitoring-compliance.vendor-compliance
Severity: low
What to look for: Enumerate all third-party services used in the project by scanning package.json dependencies, infrastructure configs, and environment variable patterns. Count the total number of third-party vendors that handle or access cardholder data (payment processors, hosting, monitoring, database services). Search for vendor compliance documentation (look for "vendor", "compliance", "third-party" in docs/). For each vendor found, check whether compliance status (AOC, SAQ, SOC 2) is documented.
Pass criteria: At least 1 vendor compliance documentation file exists. The document lists at least 2 third-party vendors with their compliance status (AOC, SAQ type, SOC 2 report). At least 1 vendor has a documented last review date. Report: "X vendors documented, Y with compliance status, Z with review dates."
Fail criteria: No vendor compliance documentation found (0 files), or vendors are listed without compliance status verification, or fewer than 2 vendors documented.
Skip (N/A) when: Only 1 payment processor used (e.g., Stripe only) with no other third-party services handling cardholder data, and that processor is PCI Level 1 certified.
Detail on fail: Specify the gap. Example: "0 vendor compliance documentation files found. 4 third-party services detected in package.json (stripe, datadog, supabase, sendgrid) with no compliance tracking." or "docs/vendors.md lists 3 vendors but 0 have documented compliance status or review dates."
Remediation: Create and maintain vendor compliance documentation. Create docs/vendor-compliance.md:
# Third-Party Vendor Compliance Assessment
## Vendors Handling Cardholder Data
| Vendor | Service | Compliance Status | AOC/SAQ | Last Review | Notes |
|--------|---------|-------------------|---------|-------------|-------|
| Stripe | Payment Processing | Level 1 PCI DSS | AOC (Annual) | 2025-11-30 | Fully compliant |
| Datadog | Monitoring | Level 1 PCI DSS | AOC (Annual) | 2025-10-15 | Compliant, no card data stored |
| AWS | Infrastructure | SOC 2 Type II | Report (Annual) | 2025-12-01 | Compliant, encryption enabled |
| SendGrid | Email Notifications | SOC 2 Type II | Report (Annual) | 2025-09-30 | No card data, compliant |
## Vendor Onboarding Checklist
- [ ] Verify PCI DSS compliance (request AOC or SAQ)
- [ ] Confirm data handling procedures
- [ ] Review security policies
- [ ] Confirm incident notification procedures
- [ ] Document compliance status in this file
- [ ] Schedule annual compliance review
## Vendor Risk Assessment
- **Stripe**: No risk — PCI Level 1, all card data handled by Stripe
- **AWS**: Low risk — Infrastructure compliant, we control encryption keys
- **Datadog**: Low risk — No cardholder data stored, monitoring only