How to deal with service providers that aren't PCI DSS compliant
Achieving compliance with the Payment Card Industry Data Security Standard (PCI DSS) is tedious and cumbersome, and in many cases will require a great deal of effort for businesses. There’s the initial effort and sometimes cost required to secure cardholder data (CHD). There are the tasks involved to secure, monitor and manage the cardholder data environment (CDE), such as defining policies and procedures to implement technology solutions.
The scope of PCI DSS also includes any third party service providers (TPSP) that have access to cardholder data or the cardholder data environment, store or process cardholder data on their customer’s’ behalf, or could impact the security of cardholder data.
What does it all mean? It means that you need to pay attention to TPSPs!
Why should you worry about third party service providers?
We cannot ignore TPSPs in today’s world. Almost all businesses outsource one or more service to TPSPs.
PCI Council and payment card brands are rightfully concerned about the security of cardholder data. So the scope of the PCI DSS covers all the people, process and technologies that either store, process or transmit cardholder data; and this means third party service providers.
If you work with a TPSP to provide a service, that service automatically comes under the PCI DSS scope of assessment. Some examples of services are call centres, hosting, cloud services, storage, payment gateways, media handling, encryption, infrastructure, physical security, HR functions, routing and firewalling, and monitoring.
Working with third party service providers can be challenging and must be dealt with diligently.
Choosing a Service Provider
It is obvious then that you should select service providers who are PCI DSS compliant for the services they are offering. They should agree to adhere to your contract requirements of meeting compliance to ensure cardholder data security.
Policies and procedures must be established between your business and your service providers for all applicable security requirements, and proper measures should be developed to manage, monitor and report on the requirements.
Due diligence in selecting service providers saves you from running into problems later and it reduces the cost and effort required to achieve PCI DSS compliance.
Figure 1: Due Diligence Process
Reference: Third-Party Security Assurance Special Interest Group, PCI Security Standards Council
Who is responsible for what?
According to PCI DSS requirement 12.8.5, it is important to know who is responsible for what: you need to ‘[m]aintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity’.
A PCI DSS responsibility summary will outline a clear idea of who is responsible for what. You can use this document as a starting point to identify participating service providers and then to identify their level of compliance against each service they are providing.
In many cases, entities looking for PCI DSS certification have already chosen their service providers, and due to contract obligations they are either not able to change service providers from non-compliant to PCI DSS-certified third-party service providers, or they’re unable to push the TPSPs to go get themselves certified.
How to deal with non-compliant TPSPs
Assess service providers
If you are working with non-compliant third-party service providers or you suspect they might not be compliant, we can help. It’s a process, which you probably wouldn’t want to handle on your own.
Stickman will assess the services of the third-party service providers that are relevant to your business (and in the scope of PCI DSS).
If we find that they are not PCI DSS certified, then we can look at remediating the shortcomings. If there are multiple non-compliant service providers involved, this might add time and costs to the project.
Helping service providers getting compliance
Once we have identified TPSPs that are non-compliant, we can help service providers get compliance. Stickman has successfully dealt with this in a few recent PCI DSS projects.
Where we found third party service providers – and their multilevel subcontractors – who were not compliant, we used our experience to speak with both the client and service providers about the situation.
Then, we simplified the whole procedure of compliance. We educated our client and their service providers on how to meet PCI DSS requirements and conditions by completing the PCI Data Security Standard Self Assessment Questionnaire (SAQ). This is a tool which helps both merchants and service providers to figure out if they comply with the Payment Card Industry Data Security Standard.
It is a win-win for everyone
This is a winning situation for everyone. You get your PCI DSS certificate, as all your third party service providers are properly compliant.
At Stickman, we have successfully completed such a project.
The service providers are now in a much better situation. They may have been reluctant to choose PCI DSS compliance due to a lack of knowledge and education. Now, they’ve been educated and are compliant, and they can now confidently attract more customers, through being able to officially demonstrate their PCI DSS compliance capability for the services they are providing.
And you’ve created a better partnership with your suppliers in a situation where you’ve both gained a successful outcome.