Contracts between merchants and service providers are often not ideal, for either or both parties, when it comes to addressing PCI DSS, cybersecurity, and data protection issues. Yet, we need to find a way to make them work. Our presentation begins by recapping PCI DSS requirements for service provider contracts. We then provide three example scenarios for how parties might address these issues, presenting each scenario from both the merchant and service provider perspectives. We conclude by offering mitigating measures parties may consider to create a defensible position, manage the cybersecurity risk, and to get the most out of their contracts.