Due Diligence and Service Providers
If you’re going through a PCI DSS assessment and hit point 12.8, you might think of a Service Provider with whom you share card data with to be a bank or payment processor. After all, any other company with whom you have a relationship surely couldn’t impose a risk to you customer’s card data?
You might also think that the due diligence sub-requirement of 12.8.3 means you only need to look on Visa and MasterCard’s website and ensure the company you are dealing with is listed.
I’m sort of hoping you haven’t been nodding your head in agreement so far, as these have to be two of the most misunderstood concepts when dealing with PCI DSS.
A ‘service provider’ in PCI DSS terminology means any entity that can impact the security of cardholder data. Payment processors are the obvious ones, but the less obvious are companies offering remote support, managed security service providers and even entities within your own organisation.
‘Due diligence’ in PCI DSS terminology means appropriate due care and attention must be paid prior to and during the engagement of the above entities. This MUST extend beyond simply looking at a validation date on Visa or MasterCard’s websites, the prime reason being Service Providers are completely free to choose whatever scope they like when submitting validation documentation to the card schemes.
If you’re working with a big payment service provider, then just because they have a validation listing does not automatically mean that every single service that they offer is PCI DSS Compliant. It also does not mean that they have committed in any way shape or form to maintain their compliance status until the anniversary of their validation date.
As QSAs we appreciate it can be difficult to re-negotiate contracts mid-term, especially if worth millions, but it’s simply not acceptable just to sit back and do nothing, as it’s quite likely that your 3rd party contracts are the weakest link in the chain, by a considerable amount.
Reserve the right to audit, bring 3rd party entities closer to you – understand their business, understand the risks they present to yours and above all, don’t rely on their ‘PCI Compliant’ marketing statements or wayward account managers to fool you into thinking you’ve just agreed a contract with a provider running out of Fort Knox!
An interesting point to note is that 12.8 is prevalent in all SAQs too – retailers being retailers and specialising in retail, I really doubt there is a common understanding as to what a ‘Service Provider’ under PCI DSS actually is when a level 4 SAQ gets shoved under their noses.
Something needs to be done. 90% of compromises have been in Level 4 merchants year to date and it’s becoming widespread knowledge that Level 4 compliance programmes are failing due to pure volume of retailers that need dealing with.