PCI DSS Third Party Risk 
The use of Third Party service providers (TPSPs) to process credit card payments is increasingly popular given the cost and operational efficiencies it represents and the perception of short-cutting the costly burden of Payment Card Industry Data Security Standard (PCI DSS) compliance.
In this series of blogs we’ll take a look into the issues outsourcing credit card payment processing raises, and how to mitigate and manage the risks associated with these Third Parties who have intimate access to Cardholder Data (CHD) and have the potential to pose a significant risk to the security of the entire Cardholder Data Environment (CDE).
Which Third Parties must comply with PCI DSS?
PCI defines a TPSP as any vendor that stores, processes, or transmits CHD on behalf of a client organisation, as well as any vendor that could affect the security of the CDE. Often, the latter of these two groups is omitted from PCI compliance efforts given the relative value placed upon the management of financial transactions in the use of such data.
While many organisations already have broader Third Party risk management programs in place, they may also share CHD with several service providers that are excluded or not subject to the appropriate levels of scrutiny and due diligence, such as:
• Web hosting providers,
• Backup storage facilities,
• Payment gateways,
• Fraud services,
• Managed service providers, and
• Infrastructure management providers
The latest iteration of PCI DSS 3.2 is a further reminder of the critical importance of the mitigation and management of Third Party risk and the need to improve upon previous measures aimed at ensuring compliance throughout the data supply chain.
What Third Party due diligence and compliance requirements are there in PCI DSS?
The following excerpts from PCI DSS 3.2 illustrate the importance PCI places on the continuous management and maintenance of a strong security posture where Third Party service providers (TPSPs) are employed to handle and process sensitive cardholder data (CHD):
10.8 Service providers must implement a process for timely detection and reporting of failures of critical security control systems.
12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all personnel. Service providers must also establish responsibility for their executive management for the protection of cardholder data and a PCI DSS compliance program.
12.8 Maintain and implement policies and procedures to manage service providers with which cardholder data is shared, or that could affect the security of cardholder data.
12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.
12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.
12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.
12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.
12.9 Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.
12.11 Service providers must perform and document reviews at least quarterly to confirm personnel are following security policies and operational procedures.
Note: 10.8, 12.4 and 12.11 are a “best practice” until 31 January 2018, after which they become a requirement.
Do you need to be PCI compliant when using a Third Party payment processor?
This is an easy one. YES! In August 2014, PCI published additional guidance on managing Third Party risk and assurance recommending a thorough risk assessment on each TPSP based on an industry-accepted methodology, stating “The use of a TPSP does not relieve the entity of ultimate responsibility for its own PCI DSS compliance, or exempt the entity from accountability and obligation for ensuring that its CHD and CDE are secure.”
If your organisation accepts credit cards, then it must comply with PCI DSS, irrespective of whether you are handling the collection, processing and storage of the protected cardholder data or have outsourced it to a Third Party service provider. All organisations that accept credit cards enter one or many agreements with its bank, according to which the organisation must:
• Comply with credit card association regulations, including the PCI DSS; and
• Pay for any fines and assessments issued by the card associations following a card data compromise event.
The merchant is also required to report any card data compromise event to its bank, who then notifies the credit card association behind the PCI DSS compliance conditions.
What if your organisation is not PCI DSS compliant at the time of the breach?
In case of a breach, the merchant might be required to retain and pay for a Payment Card Industry Forensic Investigator to conduct a forensic examination of the processing environment. This can be costly, depending on the size of the business.
The process moving forward is explained in credit card brand regulations (e.g. Visa International Operating Regulations or MasterCard Security Rules and Procedures). Generally, the investigator must determine if your organisation was compliant at the time of the breach. Each credit card vendor will impose a separate fine for non-compliance, and can impose additional penalties for not reporting the incident immediately. These fees are claimed by virtue of the indemnity provisions in the Merchant Services Agreements; your bank will claim the money on behalf of the credit card companies. Also, your bank may decide to increase transaction fees or, in some cases, simply terminate the business relationship to eliminate the risk.
And be warned – payment brands can assess more than 25 different contractual penalties, fines, adjustments, fees, and charges upon a retailer following a PCI data security breach. So it is imperative that you ensure the security of your payment data supply chain.
Does outsourcing still make sense under these stricter requirements?
Employing TPSPs does offer significant commercial benefits and reduce (but not eliminate) the compliance burden; as organisations will normally only have to complete a Self-Assessment Questionnaire to provide evidence of their own compliance with PCI DSS. However, the PCI offer the following guidance:
“Clear policies and procedures should therefore be established between the entity and its TPSP(s) for all applicable security requirements, and proper measures should be developed to manage and report on the requirements. A robust and properly implemented third-party assurance program assists an entity in ensuring that the data and systems it entrusts to TPSPs are maintained in a secure and compliant manner. Proper due diligence and risk analysis are critical components in the selection of any TPSP”
So there are various factors to consider when dealing with TPSPs, such as group litigation exposures and due diligence in vetting and assessing TPSPs. We’ll cover this in more detail in the next blog: PCI DSS Third Party Risk – Risk Exposure and Improving Risk Mitigation and Management
You’re only as Strong as your Weakest link
Given 97% of breaches involving stolen credentials resulted from legitimate access by Third Party service providers (Verizon 2016 data Breach Investigation Report) and high profile breaches the PCI DSS 3.2 enhances both the Data Security Standard and the associated “Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers”. These requirements offer a more rigorous examination and increase the level of detail and due diligence expected in the risk assessment of organisations and their TPSPs.
With over 15 years’ experience in IT Security, Risk and Assurance DVV Solutions has the technology, process, and people necessary to deliver the highest standard of Third Party risk assessments geared specifically for the challenges of PCI DSS Third Party risk and compliance.
Call us to discuss your Third Party risk posture on +44 (0) 161 476 8700, or complete our Contact Form and a member of the team will contact you.