Vendor Management Policy — Third-Party Service Provider (TPSP) Management
| Field | Value |
|---|---|
| Document ID | POL-008 |
| Version | 1.0 |
| Effective Date | 2026-04-08 |
| Next Review Date | 2027-04-08 |
| Classification | Internal |
| Owner | Information Security Officer |
| Approved By | CEO, Paylithix Inc. |
1. Purpose
This policy establishes the requirements for managing third-party service providers (TPSPs) that store, process, or transmit cardholder data (CHD) or that could affect the security of the Cardholder Data Environment (CDE) for Gatelithix Gateway. It ensures Paylithix Inc. meets PCI DSS 4.0.1 Requirements 12.8 and 12.9 and maintains appropriate oversight of all service provider relationships.
As a Level 1 Service Provider, Paylithix Inc. has a dual obligation: we must manage our own TPSPs (Req 12.8) and we must support our merchants’ PCI DSS compliance efforts (Req 12.9).
2. Scope
This policy applies to all third-party service providers that:
- Store, process, or transmit cardholder data on behalf of Paylithix Inc.
- Could affect the security of the CDE (e.g., infrastructure providers, authentication services)
- Provide services that are within or connected to the PCI DSS assessment scope
This includes payment processors, cloud infrastructure providers, identity providers, DNS/CDN providers, and source code/CI platforms.
2.1 Exclusions
The following are out of scope for this policy:
- Vendors that provide only general office productivity tools with no access to CHD or CDE systems
- Vendors whose services are entirely isolated from the CDE and connected systems
3. TPSP Classification
All TPSPs are classified into tiers based on their level of access to cardholder data and their potential impact on CDE security.
Tier 1 — Direct CHD Access
TPSPs that directly store, process, or transmit cardholder data. These represent the highest risk and require the most rigorous oversight.
Characteristics:
- Receive raw or tokenized PAN during payment processing
- Must maintain their own PCI DSS compliance
- A compromise at this TPSP could directly expose cardholder data
Current Tier 1 TPSPs: Stripe, NMI, FluidPay (deprecation track). TSYS planned (next connector — Transnox REST API).
Tier 2 — CDE Infrastructure
TPSPs that provide infrastructure or services within or directly connected to the CDE. They do not handle raw PAN in the clear but host systems that do.
Characteristics:
- Provide compute, storage, networking, or security services for CDE components
- Have access to encrypted cardholder data at rest or provide the encryption infrastructure
- A compromise could affect CDE availability or integrity
Current Tier 2 TPSPs: Google Cloud Platform, Auth0 (Okta)
Tier 3 — Indirect / Supporting Services
TPSPs that provide services connected to the assessment scope but do not directly access CHD or CDE infrastructure.
Characteristics:
- Provide edge networking, DNS, source code hosting, or CI/CD services
- No direct access to cardholder data (encrypted or otherwise)
- A compromise could indirectly affect security posture (e.g., code integrity, DNS hijacking)
Current Tier 3 TPSPs: Cloudflare, GitHub
4. TPSP Inventory
The Information Security Officer (ISO) maintains the authoritative inventory of all TPSPs. This inventory is reviewed and updated at least annually and whenever a new TPSP is engaged or an existing one is terminated. (PCI DSS 12.8.1)
4.1 Current TPSP Inventory
| TPSP | Tier | Services Provided | CHD Access | Compliance Status | AOC/SOC2 On File | Last Review |
|---|---|---|---|---|---|---|
| Stripe | 1 | Payment processing, tokenization | Yes (PAN transit) | PCI DSS Level 1 SP | Required | Annual |
| NMI | 1 | Payment processing, gateway | Yes (PAN transit) | PCI DSS Level 1 | Required | Annual |
| FluidPay | 1 | Payment processing | Yes (PAN transit) | PCI DSS Level 1 | Required | Annual |
| TSYS (planned) | 1 | Payment processing (Transnox REST API) | Yes (PAN transit) | PCI DSS Level 1 SP | Required at onboarding | Annual once live |
| Google Cloud Platform | 2 | Infrastructure (Cloud Run, Cloud SQL, Cloud KMS/HSM) | Yes (encrypted at rest) | PCI DSS Level 1 SP, SOC 2 Type II | On file | Annual |
| Auth0 (Okta) | 2 | Authentication, MFA, session management | No | SOC 2 Type II | Required | Annual |
| Cloudflare | 3 | DNS, DDoS protection, WAF, TLS termination | No (TLS pass-through) | PCI DSS Level 1 SP, SOC 2 Type II | Required | Annual |
| GitHub | 3 | Source code hosting, CI/CD (Actions) | No | SOC 2 Type II | Required | Annual |
4.2 Inventory Maintenance
The inventory must be updated within 5 business days when:
- A new TPSP is engaged
- A TPSP’s services, tier classification, or CHD access changes
- A TPSP is terminated or replaced
- A TPSP’s compliance status changes (e.g., AOC expires, breach disclosed)
5. Onboarding — Due Diligence Process
Before engaging any new TPSP that will be in scope for PCI DSS, the following due diligence must be completed. (PCI DSS 12.8.3)
5.1 Due Diligence Checklist
| # | Check | Tier 1 | Tier 2 | Tier 3 |
|---|---|---|---|---|
| 1 | Verify PCI DSS compliance status (AOC or SAQ) | Required | Required if CHD access | Recommended |
| 2 | Obtain SOC 2 Type II report | Required | Required | Required |
| 3 | Review most recent penetration test summary (if available) | Required | Recommended | Optional |
| 4 | Verify the TPSP is listed on Visa/Mastercard service provider registries (if applicable) | Required | N/A | N/A |
| 5 | Review data handling and encryption practices | Required | Required | Recommended |
| 6 | Confirm breach notification commitment (72 hours) | Required | Required | Required |
| 7 | Review subprocessor list and data residency | Required | Required | Recommended |
| 8 | Evaluate business continuity and disaster recovery posture | Required | Required | Recommended |
| 9 | Confirm ability to execute written agreement with PCI responsibility acknowledgment | Required | Required | Required |
| 10 | Assess financial stability and business viability | Recommended | Recommended | Optional |
5.2 Approval Process
- The requestor (typically Engineering Lead) identifies the need for a new TPSP and completes the due diligence checklist.
- The ISO reviews the completed checklist and compliance documentation.
- For Tier 1 and Tier 2 TPSPs, the CEO must approve the engagement.
- For Tier 3 TPSPs, the ISO may approve the engagement.
- Once approved, the TPSP is added to the inventory and a written agreement is executed.
6. Written Agreements
Every TPSP must have a written agreement in place that includes the following clauses. (PCI DSS 12.8.2)
6.1 Required Contract Clauses
All TPSP agreements must include:
- PCI DSS Responsibility Acknowledgment — The TPSP acknowledges in writing that it is responsible for the security of account data it possesses or otherwise stores, processes, or transmits on behalf of Paylithix Inc. (PCI DSS 12.8.2)
- Scope of Services — Clear description of services provided and data accessed.
- Compliance Obligations — Requirement to maintain PCI DSS compliance (Tier 1) or equivalent security standards (Tier 2/3) for the duration of the agreement.
- Breach Notification — Obligation to notify Paylithix Inc. within 72 hours of discovering any security incident that could affect our data or CDE security.
- Right to Audit — Paylithix Inc. retains the right to request compliance evidence, including AOC, SOC 2 reports, and penetration test summaries.
- Evidence Provision — The TPSP will provide updated compliance evidence (AOC, SOC 2) annually or upon request.
- Data Return/Destruction — Upon termination, the TPSP will securely destroy or return all Paylithix data within an agreed timeframe.
- Subprocessor Notification — The TPSP will notify Paylithix of any material changes to subprocessors handling our data.
6.2 Agreement Tracking
For each TPSP, the ISO maintains a record of:
- Agreement effective date and renewal date
- PCI responsibility acknowledgment (signed or incorporated into terms of service)
- Key contact for compliance inquiries
- Date of last compliance evidence received
7. Compliance Evidence Requirements
7.1 Evidence by Tier
| Evidence Type | Tier 1 | Tier 2 | Tier 3 |
|---|---|---|---|
| PCI DSS AOC (current year) | Required | Required if in CDE | Accepted |
| SOC 2 Type II report | Required | Required | Required |
| Written PCI responsibility acknowledgment | Required | Required | Required |
| Penetration test summary | Recommended | Optional | Optional |
| Insurance certificate (cyber liability) | Recommended | Optional | Optional |
7.2 Evidence Storage
All TPSP compliance evidence is stored in:
- Primary:
compliance/evidence/tpsp/directory, organized by TPSP name - Naming convention:
{tpsp-name}-{document-type}-{YYYY}.{ext}(e.g.,stripe-aoc-2026.pdf) - Retention: Current year plus 3 prior years (matching PCI evidence retention requirements)
7.3 Acceptable Evidence Forms
- PCI DSS AOC: Official Attestation of Compliance signed by QSA or internal assessor
- SOC 2 Type II: Report from accredited CPA firm covering the most recent 12-month period
- Contractual Acknowledgment: Signed agreement clause acknowledging PCI responsibility (acceptable when AOC is not available, primarily for Tier 3 TPSPs)
- Card Brand Registry Listing: Active listing on Visa Global Registry or Mastercard SDP list (supplementary evidence for Tier 1)
8. Annual Review Process
All TPSP relationships are reviewed at least once every 12 months. (PCI DSS 12.8.4)
8.1 Annual Review Checklist
For each TPSP, the ISO completes the following during the annual review:
| # | Review Item | Action |
|---|---|---|
| 1 | Verify current PCI DSS AOC or SOC 2 report is on file | Request updated evidence if expired |
| 2 | Check for publicly disclosed security breaches or incidents | Search security news, TPSP communications |
| 3 | Confirm services provided have not changed materially | Update inventory if services changed |
| 4 | Verify tier classification is still accurate | Reclassify if access level changed |
| 5 | Confirm written agreement is current and includes required clauses | Renew or amend if needed |
| 6 | Review TPSP’s subprocessor list for material changes | Assess impact of new subprocessors |
| 7 | Verify the TPSP is still needed (business justification) | Initiate termination if no longer required |
| 8 | Update the TPSP inventory with review date | Record in inventory table |
8.2 Review Schedule
- Annual review window: April of each year (aligned with policy review cycle)
- Interim reviews: Triggered by TPSP breach disclosure, material service change, or compliance status change
- Documentation: Review results are recorded in
compliance/evidence/tpsp/annual-review-{YYYY}.md
9. Responsibility Matrix
This section documents which PCI DSS requirements are managed by each TPSP versus Paylithix Inc. (PCI DSS 12.8.5)
9.1 Google Cloud Platform
| PCI DSS Area | GCP Responsibility | Paylithix Responsibility |
|---|---|---|
| Physical security (Req 9) | Data center physical access controls, hardware security | N/A (cloud-only deployment) |
| Network infrastructure (Req 1) | Underlying network fabric, DDoS mitigation | VPC configuration, firewall rules, segmentation |
| Encryption at rest (Req 3) | Cloud KMS/HSM infrastructure, default disk encryption | Key management policy, envelope encryption, PAN handling |
| Encryption in transit (Req 4) | TLS termination at load balancer, inter-zone encryption | Application-level TLS configuration, sslmode=require |
| OS patching (Req 6) | Cloud Run managed runtime, container OS | Application dependencies, container image updates |
| Logging infrastructure (Req 10) | Cloud Logging platform, Cloud Audit Logs | Application audit logging, log review procedures |
| IAM infrastructure (Req 7/8) | IAM platform, Cloud Identity | Role definitions, least-privilege configuration, MFA enforcement |
9.2 Payment Processors (Stripe, NMI, FluidPay; TSYS planned)
| PCI DSS Area | Processor Responsibility | Paylithix Responsibility |
|---|---|---|
| PAN processing (Req 3/4) | Secure processing of PAN received via API | Encrypt PAN at ingress, transmit only over TLS 1.2+, minimize PAN exposure window |
| Authorization/settlement | Transaction processing, fraud detection | Correct API integration, idempotency, error handling |
| Webhook security | Signed webhook payloads | Signature verification, secure webhook endpoint |
| Compliance | Maintain own PCI DSS compliance, provide AOC | Verify AOC annually, monitor for breaches |
9.3 Auth0 (Okta)
| PCI DSS Area | Auth0 Responsibility | Paylithix Responsibility |
|---|---|---|
| Authentication platform (Req 8) | Identity platform availability, security patching | Tenant configuration, password policy, MFA enforcement, session timeouts |
| MFA infrastructure (Req 8.4) | MFA delivery mechanisms (TOTP, push) | MFA enrollment policy, enforcement rules |
| Audit logging | Auth0 platform logs | Integration with our audit system, log review |
9.4 Cloudflare
| PCI DSS Area | Cloudflare Responsibility | Paylithix Responsibility |
|---|---|---|
| DNS (Req 1) | DNS infrastructure availability, DNSSEC | DNS record management, domain security |
| DDoS protection (Req 1) | DDoS mitigation at edge | Configuration of protection rules |
| WAF (Req 6) | WAF engine and rule updates | Rule selection and tuning (supplementary to Cloud Armor) |
| TLS (Req 4) | TLS termination, certificate management | Certificate configuration, minimum TLS version |
9.5 GitHub
| PCI DSS Area | GitHub Responsibility | Paylithix Responsibility |
|---|---|---|
| Source code security (Req 6) | Platform security, access controls, availability | Repository configuration, branch protection, code review process |
| CI/CD security (Req 6) | Actions platform security | Workflow configuration, secret management, runner security |
| Access control (Req 7) | Organization/team IAM | User access management, SSO enforcement, permission reviews |
10. Incident Notification
10.1 TPSP Breach Notification Requirements
All TPSP agreements require notification to Paylithix Inc. within 72 hours of the TPSP discovering any security incident that:
- Involves unauthorized access to cardholder data processed on behalf of Paylithix
- Affects the security, integrity, or availability of systems in our CDE
- Results in unauthorized access to Paylithix credentials, tokens, or API keys
- Involves a TPSP subprocessor that handles our data
10.2 Paylithix Response to TPSP Incidents
Upon receiving notification of a TPSP security incident:
- Immediate (0-4 hours): ISO assesses the incident and determines if Paylithix cardholder data is affected. Activate the Incident Response Plan (POL-005) if warranted.
- Short-term (4-48 hours): Determine scope of exposure. Rotate any potentially compromised credentials (API keys, webhook secrets). Notify affected merchants if required.
- Medium-term (48 hours - 2 weeks): Monitor for indicators of compromise. Work with TPSP to understand root cause. Assess whether the TPSP should be suspended or replaced.
- Long-term: Update risk assessment. Re-evaluate TPSP tier classification. Document lessons learned.
10.3 Proactive Monitoring
The ISO monitors the following sources for TPSP security information:
- TPSP status pages and security advisories
- Security news outlets (e.g., Krebs on Security, BleepingComputer)
- PCI SSC bulletins and alerts
- TPSP compliance status changes on Visa/Mastercard registries
11. Termination Criteria
A TPSP must be evaluated for termination or replacement when any of the following occur:
11.1 Mandatory Review Triggers
- The TPSP’s PCI DSS AOC expires and is not renewed within 90 days
- The TPSP discloses a breach involving cardholder data
- The TPSP refuses to provide compliance evidence upon request
- The TPSP fails to execute or renew the required written agreement
- The TPSP’s services are no longer needed
11.2 Termination Process
- Assessment: ISO evaluates the risk and impact of continuing vs. terminating the relationship.
- Notification: Provide written notice per the agreement terms.
- Migration Plan: For Tier 1 and Tier 2 TPSPs, develop a migration plan before termination (these are critical services).
- Data Handling: Confirm the TPSP will destroy or return all Paylithix data per the agreement.
- Credential Rotation: Rotate all API keys, tokens, and credentials associated with the TPSP.
- Inventory Update: Remove the TPSP from the inventory and update all documentation.
- Post-Termination Verification: Confirm no residual data access or connectivity exists.
12. Our Obligations as a Service Provider
As a PCI DSS Level 1 Service Provider, Paylithix Inc. has specific obligations to our merchant customers. (PCI DSS 12.9)
12.1 Written Acknowledgment to Merchants (PCI DSS 12.9.1)
Paylithix Inc. provides written acknowledgment to each merchant that we are responsible for the security of cardholder data we possess, store, process, or transmit on behalf of that merchant. This acknowledgment is:
- Included in the merchant services agreement
- Available upon request from the merchant
- Updated when our PCI DSS scope or responsibilities change materially
12.2 Supporting Merchant PCI Compliance (PCI DSS 12.9.2)
Paylithix Inc. supports merchants’ PCI DSS compliance efforts by:
- Providing our current AOC upon request (within 10 business days)
- Providing information about which PCI DSS requirements we manage on the merchant’s behalf
- Responding to merchant inquiries about our security practices relevant to their PCI assessment
- Notifying merchants of any security incidents that may affect their cardholder data (per Section 10)
Contact for merchant PCI inquiries: compliance@gatelithix.com
13. Compliance and Enforcement
- Compliance with this policy is mandatory for all personnel involved in TPSP selection, management, or oversight.
- Engaging a TPSP without completing the required due diligence process is a policy violation and must be reported to the ISO.
- The ISO reports TPSP compliance status to the CEO as part of the quarterly PCI compliance review (PCI DSS 12.4.2).
14. Related Documents
- Information Security Policy (POL-001) — Parent policy
- Incident Response Plan (POL-005) — Activated for TPSP security incidents
- PCI DSS v4.0.1 Control Matrix — Requirements 12.8 and 12.9 tracking
- PCI Compliance Architecture Guide — CDE architecture and shared responsibility model
- PCI DSS v4.0.1 Standard, Requirements 12.8 and 12.9 (PCI Security Standards Council)
15. Document History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2026-04-08 | Information Security Officer | Initial policy creation — TPSP inventory, classification, due diligence, annual review, responsibility matrices, incident notification, service provider obligations |