|
|
|
|
|
|
by jlmorton
3178 days ago
|
|
|
This practice is allowed by industry security standards, like PCI-DSS. If it's determined that the third-party acts as a PCI Service Provider, then the compliant party has a duty to determine that the third-party is also compliant. The client vetted CircleCI, and CircleCI presumably vetted the third parties. It is not fair to say these vendors have not been vetted. It may not be a best practice, but it's little different than CircleCI (or any other company) contracting with a private data center, which has direct physical access to their equipment. They have presumably vetted the data center provider, or cloud computing vendor. |
|
|