Your ecosystem of Third Party relationships provides important strategic business advantages. It also exposes you to unpredictable and substantial risk. Data breaches targeting Retailers and their Third Parties dominate the news and boardroom as they offer potentially high value and high profile results for the hackers BUT significant risk of reputational damage, enforcement actions and fines.
In August 2014, PCI published additional guidance on managing Third Party risk and assurance recommending a thorough risk assessment on each Third Party service provider (TPSP) based on an industry-accepted methodology, stating
“The use of a TPSP, however, does not relieve the entity of ultimate responsibility for its own PCI DSS compliance, or exempt the entity from accountability and obligation for ensuring that its cardholder data (CHD) and CDE are secure. Clear policies and procedures should therefore be established between the entity and its TPSP(s) for all applicable security requirements, and proper measures should be developed to manage and report on the requirements.
A robust and properly implemented third-party assurance program assists an entity in ensuring that the data and systems it entrusts to TPSPs are maintained in a secure and compliant manner. Proper due diligence and risk analysis are critical components in the selection of any TPSP.”
Third Party risk management is no longer optional and PCI-DSS 3.0, GDPR and other regulatory requirements have also put a major emphasis on scaling Third Party risk programs. Securing your data supply chain in Retail operations and managing the risks associated with access to the cardholder network is a major challenge that Retailers of all size are still struggling to tackle.