On August 7, 2014 the PCI Security Standards Council issued new guidance to supplement PCI DSS Requirement 3.0 and help organizations reduce the risks associated with entrusting third-party service providers (“TPSPs”) with consumer payment information. More and more merchants use TPSPs to store, process and transmit cardholder data or manage components of the entity’s cardholder data environment. A number of studies have shown that breach is tied increasingly to security vulnerabilities introduced by third parties. To combat such risk, a PCI special interest group made up of merchants, banks and TPSPs, together representing more than 160 organizations, created practical guidelines for how merchants and their business partners can work together to comply with the existing PCI standard and protect against breach.
Below are some high-level recommendations found in the “Information Supplement: Third-Party Security Assurance”:
TPSP Due Diligence: Conduct due diligence and risk assessment when engaging TPSPs to determine whether the skills and experience of the TPSP are appropriately suited to the task. Ask:
- What technology and system components are used by the TPSP for the services?
- Does the TPSP use other third parties?
- What other core processes or services are housed in TPSP facilities?
- How many facilities does the TPSP have where cardholder data will be located?
- Consult with your “acquiring bank”, “merchant bank”, or “acquiring financial institution” (each an “Acquirer”) to ensure the TPSP services are approved.
- Review the participating payment card brand service-provider listings and websites as well as the PCI DSS validation documents.
- Perform a risk assessment on the TPSP based on industry-accepted methodology.
Engaging the TPSP: Implement a process for engaging TPSPs.
- Set forth the expectations of all parties involved and review expectations at least annually so as to keep a consistent and mutually agreed upon mode of operation.
- Assess scope of TPSP’s responsibility and consider including contractual provisions in documents with TPSPs that require evidence sharing.
- Establish a communication schedule so that changes are communicated to the appropriate people in a timely manner.
- Track how the TPSP’s services and products match up with the PCI DSS requirements.
Written Agreements, Policies and Procedures: Once a TPSP is chosen, the entity and the TPSP should memorialize the agreement in writing.
- If a TPSP claims its services are PCI DSS Compliant, consider documenting such compliance, the date of compliance assessment and any components that were excluded from the assessment.
- An entity should keep in mind all regional requirements that apply, such as state-specific requirements and all legislative considerations such as definitions of protected information and breach-notification thresholds.
- Review agreements with Acquirers to ensure TPSPs are meeting additional requirements.
- Review compliance programs for each payment card brand to make sure the TPSP is in compliance.
- Keep industry specific regulations in mind.
- Make TPSP aware of the company incident response plan, its requirements and the allocation of responsibility in the case of a suspected data breach.
- Consider what requirements and responsibilities will continue to impact TPSP even after the engagement has formally ended (e.g. if a TPSP continues to store an entity’s cardholder data as part of a backup system).
Monitor Third-Party Service Provider Compliance Status: Develop a robust compliance monitoring program and document it.
- Make sure all resources involved in monitoring understand the scope of the cardholder data environment and establish a deliverable for the TPSP.
- Set forth a procedure for maintaining the TPSP list which includes information such as name and primary points of contact at the TPSP, specific services provided, last date of review, etc.
- Consider including the following in your TPSP monitoring procedure: a list of evidence and supporting documentation that will be collected from the TPSP, a detailed description of the PCI DSS compliance status, a report template, details describing how status review results are to be shared and approved, and policies for retention of monitoring program data.
By properly implementing a third-party assurance program a company can help ensure that data is kept in a safe and compliant manner.