Would a domain registrar be considered a Service Provider for PCI compliance if it never touches its customer’s card holder data?
Hypothetical:
- Company A accepts credit card payments and must be PCI compliant.
- Company B provides domain registration (but not DNS or web hosting) services to Company A.
- Some of these domains are used by Company A to accept credit card data, but the data never leaves Company A's environment nor hits Company B's.
- Nevertheless, a compromise of Company B's security could result in Company A's domain NS delegation pointing to an attacker who could steal the credit card data of Company A's customers.
Questions:
- In the above hypothetical, does PCI compliance require that Company A obtain from Company B a Self Assessment Questionnaire D (SAQ-D) for Service Providers, or even a full Report on Compliance (ROC)?
Note that according to according to https://www.pcisecuritystandards.org/glossary/#glossary-s,
If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service.
Domain registration is as close to "public network access" as you can get, and the "such as" language is not restrictive, so I would argue that Company B is not a PCI Service Provider. Also, I could not find any declarations from popular domain registrars today stating that they are PCI compliant Service Providers for their domain registration services alone. (Obviously, most registrars are PCI compliant merchants, but that's different.)
- A broader question: If Company B is deemed to be a PCI Service Provider for Company A, do all the same rules for scoping its System Components apply, even though Company A's cardholder data never touches Company B? For example, instead of looking at system components that connect to the Cardholder Data Environment (CDE) of Company A, since there are no such systems would Company B need to look at any System Component that could conceivably affect the security of Company A's CDE?