PCI Compliance

Twingate for companies requiring PCI compliance

If you are an organization that needs to comply with PCI DSS (the Payment Card Industry Data Security Standard), you may be wondering whether you can use Twingate and still comply with PCI.

We believe that Twingate is able to be used by organizations in compliance with PCI DSS, even though the Twingate product itself is not validated as PCI DSS compliant. This is because PCI DSS does not require a third party service provider like Twingate to be validated as PCI DSS compliant.

Twingate can be used to help an organization meet some of its PCI compliance obligations, especially when it comes to securing its cardholder data environment (CDE). When used for this purpose, Twingate is considered to be a third party service provider.

For a more in-depth explanation, read on.

Twingate as a Service Provider

If Twingate is used by an organization to secure access to its CDE, Twingate may be regarded as “in scope” for PCI DSS compliance purposes as a third party service provider. However, it is important to note that a system being “in scope” for PCI DSS does not necessarily mean the system itself needs to be validated as fully PCI DSS compliant.

When Twingate acts as a service provider for PCI DSS purposes, Requirement 12.8 of the PCI DSS becomes relevant. As noted by the PCI Security Standards Council, service providers do not need to be validated as PCI DSS compliant in order for an organization to meet Requirement 12.8. “If, however, a service provider provides a service that is in scope for the entity’s PCI DSS requirements, then the compliance of that service will impact the entity’s compliance. For example; if an entity engages a service provider to manage their firewalls, and the service provider is not meeting the applicable requirements in PCI DSS Requirement 1, then those requirements are not in place for the merchant’s compliance.”

Twingate can act as a third party service provider if Twingate is used to secure access to components of a customer’s CDE. Consequently, organizations should identify what PCI requirements they are intending to fulfill by using Twingate, and understand how Twingate accomplishes those. For example, Twingate can help customers to meet Requirement 7.3, which relates to managing access to in scope system components via an access control system.

Please contact us for more information about Twingate and PCI DSS compliance.

Last updated 9 months ago