Compliance Week : PCI Guidance Provides Clarity to Payment Card Industry

August 27, 2014
michelle

CardConnect CTO Rob Nathan recently sat down with Compliance Week to talk about the most recent addition to PCI 3.0. The addition regards outsourced security providers—something the CardConnect is quite familiar with.

It has becoming increasingly more popular for merchants to rely on third party service providers to store and protect their data. And why not? It lifts a huge burden from merchants to allocate resources to keep credit card data safe, saves time, and reduces the PCI compliance burden. And since the Payment Card Industry Security Standard’s Council announced more stringent requirements early this month, merchants who outsource their security are even more protected.

It’s called the “Third Party Security Assurance Information Supplement” and it was developed with the help of retailers, banks, and third-party service providers (TPSPs). It provides some helpful info on how to do the following:

  • Conduct due diligence and a risk assessment when engaging TPSPs
  • Implement a consistent process for engaging TPSPs, such as setting expectations, establishing a communications plan, and mapping third-party services and responsibilities to PCI DSS requirements
  • Develop appropriate agreements, policies, and procedures with TPSPs
  • Implement a process for maintaining and managing third-party relationships through the lifetime of the engagement.

For those companies seeking third-party service providers, the supplement also provides a few questions they should ask when choosing a provider:

  • What technology and system components are used by the TPSP for the services provided?
  • Does the TPSP use other third parties?
  • What other core processes or services are housed in TPSP facilities that may affect the services provided?
  • What technology is used for those core processes or services?
  • How many facilities does the TPSP have where cardholder data will be located?

CardConnect CTO Rob Nathan reminds us that just because companies are using third party services to help with security, they are “not necessarily vetting them.” He also says that the new supplement ensures PCI DSS compliance among these third-party service providers.

That leads us to a point that we cannot over-emphasize:

Responsibility can never be outsourced.

Just because a merchant outsources card data storage does not mean they are no longer responsible if something goes wrong. This is why being upfront with a third-party service provider about expectations and responsibilities is absolutely vital to maintain stringent security. Additionally, merchants should always remain diligent when it comes to monitoring their third-party service providers.

Compliance Week subscribers can read the full article here.