PCI-12.8.3:
Obtain contracts between the organization and any third parties that handle cardholder data (e.g., backup tape storage facilities, managed service providers such as Web hosting companies or security service providers, or those that receive data for fraud modeling purposes). Verify that the PCI Data Security Standard requirements relevant to the business relationship between the organization and the third party are included in the contract. Specifically verify the following information is included in the contract:
- Contract provisions include appropriate business continuity provided by the third party such that the third party’s services will be available in the event of a major disruption or failure.
- Contract provisions include appropriate business continuity provided by the third party such that the third party’s services will be available in the event of a major disruption or failure.
References
(see: Disaster Recovery Requirements Analysis)
--Mdpeters 12:17, 15 February 2007 (EST)