In our previous blog (PCI DSS Third Party Risk – Compliance and Liability in an Outsourced Payment Processing model) on the importance of being Payment Card Industry Data Security Standard (PCI DSS) compliant when using a Third Party service provider (TPSP) we highlighted the issue that PCI non-compliant organisations can incur a wide variety of penalties because of the Merchant Agreements that they have in place with their banks. Such contracts are signed as soon as the organisation accepts payments through credit cards, regardless of whether this payment processing is outsourced to a Third Party service provider (TPSP).
In turn, Third Parties create exposure to the additional risks of the financial, operational and reputational costs arising from investigations and group litigation following a breach. This post looks at the legal and compliance obligations of all parties and then offers practical advice on what can be done to proactively manage and mitigate the cyber, operational and financial risk exposure posed by TPSPs.
Are you liable for a data breach even if you outsourced payment processing to a TPSP?
Again, put simply. YES! As Zetoony and Stout note, “retailers are not shielded from liability by their card processor or device manufacturers in the event of a payment card data breach”. They add that this is often part of the operating agreements: “The fine print in the contracts for these products or services usually includes a number of provisions that place the liability on the retailer”.
In other words, if you accept credit cards, you are responsible to consumers and relevant credit card brands for any data breach that may cause financial damage to those parties. Subject to the contractual limitations, however, you can claim part of any damages you pay out as a result of the breach against TPSPs that have not met their own statutory and regulatory obligations. It is important to remember thought that the retailer first absorbs the legal implications of the data breach prior to any obligation bestowed upon a Third Party.
What are the impacts of PCI-DSS non-compliance on liability?
Allegations of negligence, breach of duty of care and breach of contract, individually, or together, are common in group litigation. Negligence, which is the issue alleged in most data breach suits, is typically defined in terms of a failure to use reasonable care or simply conducting business in a manner that is not considered reasonable for a prudent organisation. Examples of this may include not being PCI DSS compliant or not having measures in place that are otherwise covered by this standard, as well as not acting diligently in either the selection or management of the TPSP.
Legal systems do not require PCI DSS compliance but they do require diligence and in this regard compliance to applicable standards is a critical indicator. It should not be forgotten that the PCI DSS covers the security of the entire Cardholder Data Environment (CDE), and not only the storage or processing of Cardholder Data (CHD).
Many of the measures that are mandatory include actions that are otherwise required by most legal precedents to mitigate risks. An example of this is Requirement 12.10 “Implement an incident response plan. Be prepared to respond immediately to a system breach.” and the specific actions that must be taken in such cases.
What precautions and due diligence should be taken when outsourcing payment processing?
Whether you are specifically looking to comply with industry regulations – such as PCI DSS 3.2 or EU General Data Protection Regulations (GDPR) – or assessing risk as part of a Third Party risk management program it is critical for organisations to always be able to clearly demonstrate due diligence. The same is true when outsourcing credit cards payment processing to TPSPs, as they do not shield your organisation from legal liability or from the consequences of PCI DSS non-compliance.
In general, the vetting of potential and contracted TPSPs must demonstrate and maintain a written record of careful due diligence throughout the contract. But what does this look like in real terms?
Below is a list of recommended actions that can serve to protect your organisation from liability in the event of a security breach in a TPSP’s database throughout the lifecycle of your commercial relationship.
Determine the PCI DSS requirements applicable to the TPSP, establishing clear lines of responsibility and liability. This will inevitably vary depending on the extend of the services rendered by the TPSP; Establish clear written policies and agreements, identifying all applicable and expected security requirements, ensuring the right to evaluate and audit security control (remotely and via on-site inspection as deemed necessary), as well as agreeing measures to manage and report on these requirements;
Complete a thorough risk assessment before engaging the TPSP. The results should be documented and, in case of doubt, can be completed by an experienced vendor, which is familiar with the PCI DSS Risk Assessment Guidelines and the appropriate documentation process. It is also essential to uncover any Fourth Parties used in the management or processing of CHD and therefore assess and manage associated risks they may pose with the same level of scrutiny applied to the originating Third Party. These are also known as “nested” or “chained” TPSPs and defined by the PCI Security Standards Council as “any entity that is contracted for its services by another Third Party service provider for the purposes of providing a service.
Monitor of the TPSP’s compliance status, obtaining the proper validation document, such as a Report on Compliance (ROC) completed by an Internal Security Assessor (ISA) or by an external Qualified Security Assessor (QSA), an Attestation of Compliance (AOC), a Self-Assessment Questionnaire (SAQ), and an ASV Scan Report Attestation of Scan Compliance (AOSC) if the TPSP is providing services that are delivered via systems required to meet PCI DSS Requirement 11.2.2. To obtain an additional measure of assurance that the TPSP’s PCI DSS assessment is aligned with the agreed-upon services, consider obtaining a written verification that the said-services being provided fall within the scope covered by the AOC, ROC, SAQ and AOSC.
Periodic and Event-driven Re-Assessment. A one-off risk assessment only provides a moment-in-time evaluation of regulatory compliance and security controls and capabilities. Risk is dynamic and operates within an ever changing environment of new threats and exploits. It therefore makes sense to ensure a pattern of both re-assessment based upon time- or event-based triggers. These could include changes in ownership, service provision, known breaches within other parts of the TSPS’s business or in response to major breach events within the wider community. Provisions would need to be laid out in the contractual obligations to allow this, but it is in the interests of both parties to ensure that security controls and compliant practices are operating in optimal state at any given point.
Gain a continuous, holistic view of the TPSP’s risk landscape, through a continuous feed of threat intelligence across shifting risk factors – including Data Risk, Operational Risk, Financial Risk, Brand Risk, and Regulatory Risk – you can proactively anticipate positive and potentially harmful changes in your supplier’s ability to maintain the levels of security assurance both the PCI regulations and your organisation demand. This powerful insight can also serve as a trigger for the re-assessment of a TPSP and/or the review of your choice in Third Parties.
You’re only as Strong as your Weakest link
Given 97% of breaches involving stolen credentials resulted from legitimate access by Third Party service providers (Verizon 2016 Data Breach Investigation Report) and high profile breaches the PCI DSS 3.2 enhances both the Data Security Standard and the associated “Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers”. These requirements offer a more rigorous examination and increase the level of detail and due diligence expected in the risk assessment of organisations and their TPSPs.
With over 15 years’ experience in IT Security, Risk and Assurance DVV Solutions has the technology, process, and people necessary to deliver the highest standard of Third Party risk assessments geared specifically for the challenges of PCI DSS 3.2 compliance.
Call us to discuss your Third Party risk posture on +44 (0) 161 476 8700, or complete our Contact Form and a member of the team will contact you.