In today’s digital age, the volume of payment card transactions has increased, making merchants, payment processors, acquirers, and card issuers primary targets for financial fraud and other attacks. These entities are responsible for protecting card data and complying with the Payment Card Industry Security Standards Council’s Payment Card Industry Data Security Standard (PCI DSS). As these entities engage third-party service providers (TPSPs) that may have access to card holder data or impact the security of such data, they must ensure that the use of TPSPs does not undermine their own PCI DSS compliance status or the card data security.
To promote and improve the security of cardholder data when engaging TPSPs, the Payment Card Industry Security Standards Council (PCISSC) issued guidance on “Third-Party Security Assurance.” In this blog post, two we’ll focus on three key areas of this guidance:
- PCI DSS Third-Party Service Provider Due Diligence: Merchants, payment processors, acquirers, and card issuers should thoroughly vet prospective TPSPs. Proper due diligence helps entities select appropriate TPSPs with the skills, resources, and capabilities necessary to prevent and reduce potential security threats and risks.
- Written Agreements with Third-Party Service Providers: Where the TPSP successfully passes the due diligence process, merchants, payment processors, acquirers, or card issuers must enter into an appropriate written agreement with the TPSP. As part of the engagement lifecycle, entities should have documented policies and procedures so that TPSPs understand their responsibilities and obligations.
- Management & Monitoring of Third-Party Service Providers: A TPSP monitoring program is essential for tracking TPSPs’ PCI DSS compliance status. A TPSP monitoring program enables entities to track the compliance status of their TPSPs and determine whether a change in a relationship is required.
Want to learn how retailers are managing service providers and meeting PCI DSS obligations? Watch the best practices video.
Why Third-Party Service Provider Risk Management Matters Under PCI DSS
Today, data security concerns are growing with the increased use of TPSPs to store, process, or transmit cardholder data, or to provide other services that may affect cardholder data security. Data breaches put hundreds of millions of cardholder data records at risk each year.
Under PCI DSS, using third-party service providers (TPSPs) does not relieve entities of the responsibility for properly managing data or securing cardholder data and environments.
Inadequate security practices open the door for the malicious use of customers’ financial information. Below we highlight recommendations for implementing PCISSC’s guidance on TPSPs.
Third-Party Service Provider Due Diligence
In developing a third-party risk management program, entities should consider controls to protect cardholder data, financial data, sensitive data, and personal data, as well as measures to comply with applicable laws and regulations. Entities should develop appropriate due diligence policies and procedures, including criteria for pre-selecting TPSPs and how the TPSPs will validate PCI DSS compliance.
To ensure a proper due diligence process, entities should:
- Determine the scope of the service the TPSP will provide in order to understand the associated risks
- Evaluate the TPSP to understand how the TPSP will impact the entity’s PCI DSS compliance
- Research the TPSP’s financial stability, reputation, experience in the industry, breach history, business continuity readiness, and other risk considerations
- Determine if the TPSP is PCI DSS compliant and can validate this compliance with appropriate documentation. Obtain the validation documentation, such as a Report on Compliance; an Attestation of Compliance; a Self-Assessment Questionnaire D and an Attestation of Compliance for Service Providers; and an ASV Scan Report Attestation of Scan Compliance
- Conduct a risk assessment on the TPSP using industry-accepted methods to understand the TPSP’s security processes and controls, such as password policies, cryptographic architecture, firewalls, and authentication policies. In particular, the assessment should focus on, among other things, the TPSP’s
- Security governance and risk management
- Physical Security
- Human Resources practices
- Use of external third parties
- Configuration management processes
- Access authorization procedures
- Incident response plans
- Anti-malware measures
- Segregation and security controls
- Maintain documentation of the due diligence research and risk assessment results
Third-Party Service Provider Written Agreements
Upon completing due diligence and selecting the TPSP, entities should formalize written agreement with the TPSP. The agreement should, at a minimum:
- Describe the scope of service the TPSP will provide
- Document whether the TPSP is PCI DSS compliant
- Specify the regularity of PCI DSS compliance status checks and required evidence of such compliance
- Stipulate the TPSP’s responsibility for cardholder data security and ensures that the TPSP expressly acknowledges its commitment to such security
- Require the TPSP to communicate changes in its PCI DSS compliance status
- Define the expectations of the service the TPSP will provide (e.g., service-level agreements)
- Give the entity audit rights over the TPSP, namely, the right to request the TPSP to complete a PCI DSS assessment, whether prior to entering the agreement or on periodic basis (e.g., annually)
- Outline the requirements for communication of issues related to changes in the service
- Define the requirements where the TPSP intends to outsource parts of its service through its own third-party service provider (e.g., a nested TPSP)
- Require the TPSP to provide evidence of its technical and organizational security measures, including, but not limited to, its intrusion/vulnerability detection controls, penetration tests, and data security incident response plans
- Sets forth the TPSP’s responsibility to have an incident response plan, including procedures to provide notification in the event of a data breach
- Identify the TPSP’s representative who is responsible for the TPSP’s PCI DSS compliance
In addition, when drafting agreements, entities should consider:
- Regional requirements and applicable legal and regulatory obligations
- Industry-specific regulations, requirements, or standards
- Acquirer considerations, such as acquirer-specific responsibilities the TPSP must follow
- Payment card brands’ compliance-program requirements for engaging a TPSP
- The relationship between the entity and the TPSP, such as whether a subsidiary or conglomerate relationship exists
- A responsibility matrix so each party understands its respective responsibilities and obligations
Third-Party Service Providers Management & Monitoring
To ensure PCI DSS compliance and the security of cardholder data, merchants, payment processors, acquirers, and card issuers must manage and monitor their TPSPs. A comprehensive documented monitoring program allows entities to monitor their TPSPs’ PCI DSS compliance status and track any status changes in a consistent manner. Such a program should include policies and procedures for:
- Define the cardholder data environment scope
- Creating an inventory of TPSPs, along with descriptions of the services provided, the individual or business unit responsible for a TPSP, the location of cardholder data, the risk assessment results, and the frequency of monitoring, among other information
- Monitoring a TPSP’s performance at least annually to ensure compliance with contractual obligations and PCI DSS requirements by, among other things,
- Defining the evidence and supporting documents the TPSP must provide for analysis and contract renewal
- Maintaining up-to-date documentation of each TPSP’s PCI DSS compliance status
How OneTrust Vendorpedia Helps PCI DSS Compliance
OneTrust Vendorpedia offers numerous tools to assess TPSP risk, inventory TPSPs and relevant documentation, and record TPSP’s PCI DSS controls, as well as to track TPSP PCI DSS compliance, changes to the scope or nature of the relationship, and perform ongoing oversight throughout the lifecycle of the engagement.
Want to learn more about OneTrust Vendorpedia? Request a demo today.