PCI DSS 12.8.2: Maintain Written TPSP Agreements
Third-party service providers (TPSPs) handle sensitive account data, making documented security accountability essential. PCI DSS 12.8.2 requires written agreements with all TPSPs that confirm their responsibility for protecting cardholder data. Failing to formalize these obligations leaves your organization exposed to compliance gaps and vendor-related breaches.
What this means
This control requires you to establish and maintain written agreements with every third-party service provider that has access to account data or could impact data security. These agreements must explicitly state the TPSP's responsibility for maintaining account data security and upholding PCI DSS requirements. The documentation serves as a contractual foundation ensuring vendors understand and commit to their security obligations, creating clear accountability across your entire service provider ecosystem.
How to comply
- 1.Identify all TPSPs with access to account data or systems that process, store, or transmit cardholder information
- 2.Draft or update vendor contracts to include explicit clauses requiring PCI DSS compliance and account data protection
- 3.Define security responsibilities, incident reporting requirements, and audit rights in written agreements
- 4.Require TPSPs to acknowledge their understanding of data security obligations in signed documentation
- 5.Maintain a current inventory of all active TPSP agreements with execution dates and renewal schedules
- 6.Periodically review and update agreements to reflect changes in services, regulations, or security requirements
Evidence auditors look for
- Signed vendor contracts with PCI DSS compliance clauses and security responsibility statements
- Master Service Agreements (MSAs) specifying data protection and breach notification requirements
- Addendums or data processing agreements addressing cardholder data handling
- TPSP acknowledgment letters confirming receipt and acceptance of security requirements
- Documented inventory listing all TPSPs, agreement dates, and scope of data access
- Evidence of annual agreement reviews and updates for existing service providers
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch's vendor management module automatically tracks TPSP agreements, flags renewal dates, and maintains audit-ready documentation—eliminating spreadsheet chaos and ensuring no critical security agreements slip through the cracks.
See how GRCWatch handles this control automatically
Start free trial