Businesses are adopting a third-party operations model that can put payment data at risk, according to a US-based industry body for data security standards for payment cards. The PCI Security Standards Council, the forum for the development of payment card security standards, published guidance to help retail and others taking card payments, and their business partners, reduce this risk by better understanding their respective roles in securing card data.
Developed by a PCI Special Interest Group (SIG) including merchants, banks and third-party service providers, the information supplement provides recommendations for meeting PCI Data Security Standard (PCI DSS) requirement 12.8 to ensure payment data and systems entrusted to third parties are maintained in a secure and compliant manner.
Breach reports continue to highlight security vulnerabilities introduced by third parties as a leading cause of data compromise, the PCI says. According to a 2013 study by the Ponemon Institute, the leading mistake retailers make when entrusting sensitive and confidential consumer information to third-party vendors is not applying the same level of rigor to information security in vendor networks as they do in their own.
As for PCI DSS Requirement 12.8, if a merchant or entity shares cardholder data with a third-party service provider, certain requirements apply to ensure continued protection of this data will be enforced by such providers. The Third-Party Security Assurance Information Supplement focuses on helping retailers and their business partners achieve this by implementing third-party assurance. Produced with the expertise and real-world experience of more than 160 involved in the Special Interest Group, the guidance includes practical recommendations on how to:
– Conduct due diligence and risk assessment when engaging third party service providers to help organizations understand the services provided and how PCI DSS requirements will be met for those services.
– Implement a consistent process for engaging third-parties that includes setting expectations, establishing a communication plan, and mapping third-party services and responsibilities to applicable PCI DSS requirements.
– Develop appropriate agreements, policies and procedures with third-party service providers that include considerations for the most common issues that arise in this type of relationship.
– Implement an ongoing process for maintaining and managing third-party relationships throughout the lifetime of the engagement, including monitoring.
The guidance includes suggestions for clarifying how responsibilities for PCI DSS requirements may be shared between an entity and its third-party service provider, as well as a sample PCI DSS responsibility matrix that can assist in determining who will be responsible for each specific control area.
PCI Special Interest Groups are PCI community-selected and developed initiatives that provide extra guidance and clarifications or improvements to the PCI Standards and supporting schemes. As part of its initial proposal, the group also made specific recommendations that were incorporated into PCI DSS requirements 12.8 and 12.9 in version 3.0 of the standard.
Bob Russo, PCI SSC General Manager, said: “One of the big focus areas in PCI DSS 3.0 is security as a shared responsibility.”
The Third-Party Security Assurance Information Supplement is available on the PCI SSC website at: https://www.pcisecuritystandards.org/security_standards/documents.php.
As with all PCI Council information supplements, the guidance provided in this document is supplemental and does not supersede or replace any PCI DSS requirements.
