PCI DSS 12.8.1: Maintain Third-Party Service Provider List
PCI DSS 12.8.1 requires you to maintain an accurate, up-to-date list of all third-party service providers (TPSPs) that have access to cardholder account data. Without visibility into your TPSP ecosystem, you cannot effectively manage security risks or demonstrate compliance during audits. This control is foundational to managing third-party risk across your payment environment.
What this means
This control mandates that your organization documents every third party—including processors, payment gateways, hosting providers, and service vendors—that handles, stores, or transmits payment card data. The list must be actively maintained and reviewed, capturing each TPSP's name, services provided, and data access scope. This creates accountability and enables you to track which parties have sensitive data exposure, a critical requirement for PCI DSS compliance and breach response.
How to comply
- 1.Conduct a comprehensive inventory of all third parties that touch or access cardholder account data, including direct processors, sub-processors, cloud providers, and consultants.
- 2.Document each TPSP with their business purpose, services provided, and specific data elements they access (e.g., full PAN, CVV, expiration date).
- 3.Establish a process to update the list whenever new TPSPs are onboarded or existing relationships terminate.
- 4.Implement periodic reviews (at minimum annually) to verify accuracy and identify changes in the TPSP landscape.
- 5.Assign ownership for the TPSP list to a specific team or individual responsible for maintenance.
- 6.Ensure the list is accessible to compliance and security teams for risk assessment and incident response.
Evidence auditors look for
- Documented TPSP inventory spreadsheet with columns for provider name, services, data elements accessed, and contract dates.
- Third-party risk assessment questionnaires (e.g., vendor security questionnaires) completed and filed for each TPSP.
- Signed service agreements or Data Processing Addendums (DPAs) listing security obligations for each third party.
- Meeting minutes or change logs showing quarterly TPSP list reviews and updates.
- TPSP onboarding and offboarding documentation with approval dates.
- Evidence of compliance monitoring for each TPSP (e.g., annual audit reports, certifications like SOC 2).
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates TPSP inventory tracking and maintains your list in real-time, triggering alerts when new vendors are onboarded or existing relationships change—eliminating manual spreadsheet maintenance and keeping your third-party risk visible to auditors.
See how GRCWatch handles this control automatically
Start free trial