For merchants, long gone are the days of using a card reader with a dial-up connection to their payment processor. Today’s omni-channel retailers rely on multiple third party service providers to complete payment card transactions. These third parties—call center operators, payment gateways, loyalty solution providers, managed security services, data-center hosts, mobile app developers, and fraud prevention services—have access to or could impact the security of cardholder data. A quick review of recent security alerts regarding remote access tools and news articles regarding attacks on payment card systems highlights the fact that merchants still face the consequences that follow from an account data compromise event even if it was caused by their service provider. Indeed, contractual obligations merchants accept to be able to accept payment cards impose the ultimate responsibility on merchants for compliance with the Payment Card Industry Data Security Standard (PCI DSS), regardless of whether the merchant does it entirely on its own, relies on some service providers, or completely outsources all aspects.
Merchants are obligated under PCI DSS Requirement 12.8 to maintain policies and procedures to ensure that service providers are securing cardholder data. And although just a “best practice now” under PCI DSS 3.0, beginning July 2015, merchants will also be required to obtain a written acknowledgement of responsibility for the security of cardholder data from their service providers. But anyone who has gone through several rounds of selecting, vetting, and contract negotiation with various service providers has likely faced at least one of the following challenges: (1) denial of access to Reports on Compliance; (2) refusal to agree to maintain continuous compliance with PCI DSS; (3) rejection of demand for indemnification of the merchant if the provider allows unauthorized access to cardholder data; and (4) refusal to permit post-selection auditing. Ensuring compliance with Requirements 12.8 and 12.9 is a difficult task for merchants.
Recognizing this difficulty, on August 7, the PCI Security Standards Council published the Third Party Security Assurance Information Supplement (“Supplement”). The Supplement contains guidance from a PCI Special Interest Group (“SIG”) (consisting of merchants, banks, and third-party service providers) designed to help merchants meet Requirement 12.8.
The Supplement focuses on the lifecycle of the shared security responsibility between merchants and their service providers:
- Third-Party Service Provider Due Diligence – advising organizations to thoroughly vet candidates with careful due diligence and providing assistance on reviewing and selecting third-party service providers with skills and experience appropriate for engagements.
- Service Correlation to PCI DSS Requirements – helping organizations understand how the services provided by third-party service providers correspond to the PCI DSS requirements and which of the requirements apply to the third-party service provider and which requirements apply to the organization.
- Written Agreements and Policies and Procedures – aiding in developing written agreements to promote consistency and understanding between an organization and its third-party service providers regarding their respective responsibilities and obligations for complying with the PCI DSS requirements.
- Monitoring Third-Party Provider Compliance Status – educating organizations on knowing a third-party service provider’s PCI DSS compliance status to help provide an organization with assurance and awareness about whether the third-party service provider is complying with the applicable requirements and which requirement applies to the different services provided by the third-party service provider.
Although the Supplement provides organizations with guidance on how to ensure that its service providers are appropriately protecting cardholder data, the first page contains a very noticeable call-out: “Note: Ultimate responsibility for compliance resides with the entity, regardless of how specific responsibilities may be allocated between an entity and its TPSP(s).”