PCI DSS outsourcing is a valid and widespread strategy, but it is often misunderstood. There is no way to completely delegate PCI DSS responsibility to a third party: some responsibilities always remain with the merchant, by contract with the acquirer and by the nature of the standard itself. Understanding where the provider's responsibility ends and the merchant's begins is essential to building a sustainable compliance model without surprises in the event of an audit or breach.
What can actually be outsourced in PCI DSS
The most easily outsourceable part of compliance concerns card data management. A PCI DSS Level 1 certified tokenisation provider takes on the secure storage of PANs, encryption, vault management, access controls to card data, vulnerability scanning of its own infrastructure, and periodic penetration testing. The merchant using this provider does not need to worry about any of these aspects for the card data that the provider manages.
Network infrastructure management and payment processing can also be outsourced. A PCI DSS as a Service provider that manages hosting, firewalls, monitoring systems and security patching of payment environments transfers to the merchant the residual responsibility for their own reduced perimeter. This delegation works because PCI DSS explicitly provides for the chain of responsibility between merchant and service provider: the attested compliant service provider covers the controls included in their service, and the merchant covers the residual controls in their own environment.
What always remains the merchant's responsibility
Even with the maximum level of outsourcing, some responsibilities cannot be delegated. The merchant always remains responsible for completing and signing the SAQ or, at higher levels, engaging a QSA for the RoC. This responsibility is contractual with the acquirer and cannot be transferred to the service provider. The merchant must also manage their own physical and logical access policies to the business systems that interface with the payment environment, even if reduced.
The merchant also retains responsibility for training staff who manage payment processes, for periodically verifying that their suppliers maintain PCI DSS certification, and for documenting the perimeter of their own CDE. This last point is critical: many merchants using certified providers fail to correctly document their reduced scope and find themselves in difficulty when the acquirer requests clarification on the SAQ. The provider can supply supporting documentation, but the responsibility for correctly completing the SAQ always rests with the merchant.
The PCI DSS as a Service model with PCI Proxy EU
With PCI Proxy EU, the merchant delegates to the provider complete card data management: tokenisation, encrypted vault in Europe, PCI DSS Level 1 compliance of the payment infrastructure. The merchant retains control of their business and payment flows, but without card data ever entering their environment. This allows the merchant to typically qualify for SAQ A, reducing their direct responsibility perimeter to the few controls required by that questionnaire.
The as-a-service model also includes support in completing the SAQ, perimeter documentation, and, on request, attestation of the provider as a PCI DSS compliant service provider that the merchant can attach to their compliance documentation. This significantly simplifies the annual compliance renewal process with the acquirer. The merchant does not need to engage external consultants for the audit or for vulnerability scanning of the payment infrastructure: all of this falls within the provider's perimeter.
Frequently asked questions
By outsourcing PCI compliance am I safe from penalties?
Partially. Outsourcing card data management to a certified provider significantly reduces the risk of a breach and associated penalties. But if the merchant does not correctly complete the SAQ, does not manage their own access controls, or does not train staff on payment processes, the residual responsibilities remain. In the event of an audit or breach, the acquirer will also verify the part of the perimeter that remains with the merchant, not just the provider's part.
Can my provider sign a PCI responsibility letter?
Yes. PCI DSS certified service providers typically issue a responsibility letter (Responsibility Matrix or Attestation of Compliance) that documents which PCI DSS controls fall within the provider's perimeter and which remain with the merchant. This document is useful to attach to the SAQ when the acquirer requests perimeter documentation. Verify with your provider that their certification is up to date and that the responsibility letter specifically references the services you use.
How much does outsourcing cost compared to managing it internally?
For most medium-sized merchants, outsourcing to a certified provider is significantly less expensive than internal management. Internal costs include certified infrastructure, quarterly vulnerability scanning, annual penetration testing, staff training and QSA consulting. A merchant managing a full CDE internally can spend from €50,000 to over €200,000 per year on compliance. A tokenisation-as-a-service solution has a predictable fixed cost, typically an order of magnitude lower.
Delegate PCI DSS compliance while maintaining control of your business: tokenisation-as-a-service is the most efficient model for most merchants. Discover PCI Proxy EU.