Third parties have always been a challenge for PCI DSS. In fact, a tidbit from some Visa CISP lore suggests that this whole PCI DSS mess stemmed from the lack of Visa’s visibility into the third parties that may be handling data on behalf of merchants. PCI DSS 3.0, and now 3.1, is focusing more closely on those third parties, but third parties have always been an issue for PCI DSS. There have always been requirements for managing relationships with third parties through contracts and risk assessments, and the last few versions of the standard have gradually stepped up these requirements. I would be wary of a QSA who didn’t ask to see lots of documentation from your third parties. In some instances, he should suggest (and ...