12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement

12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.

12.8.3 Verify that policies and procedures are documented and implemented including proper due diligence prior to engaging any service provider.

The process ensures that any engagement of a service provider is thoroughly vetted internally by an organization, which should include a risk analysis prior to establishing a formal relationship with the service provider.

Specific due-diligence processes and goals will vary for each organization. Examples of considerations may include the provider’s reporting practices, breach-notification and incident response procedures, details of how PCI DSS responsibilities are assigned between each party, how the provider validates their PCI DSS compliance and what evidence they will provide, etc.