Every company in the UK that processes and stores customer payment information is ultimately responsible for its own compliance with regulations such as PCI-DSS (Payment Card Industry Data Security Standard). However, what many don’t realise is that they don’t have to go it alone. Outsourcing certain operational responsibilities to third-party experts can save significant time, money and resources, whilst also minimising the risk of a security data breach. But perhaps unsurprisingly, outsourcing comes with a number of unique challenges, meaning an effective due diligence programme must also be in place to ensure success. This article will discuss some of the main challenges and benefits of outsourcing PCI-DSS compliance and how to implement an effective due diligence programme to ensure success.
Picking the right partner
The number of third party compliance experts in the market is growing all the time, meaning businesses have a great choice available to them. But before any final decision is made, a comprehensive due diligence check must be carried out. This task can seem daunting at first, largely because there are so many important issues that need to be considered. However, it is extremely important to vet any potential third party partner thoroughly to ensure there are no skeletons in the closet before entering into an agreement with them. Areas that should be scrutinized closely include:
- Financial stability
- Previous breaches, litigations, sanctions
- Existing information security programmes
- Existing physical security procedures
- Business continuity – incident response
- HR – pre-employment checks, training and awareness
- Compliance – KYC, AML, anti-bribery, regulated entity
- Insurance
- Sub-contractors
When a partner is finally chosen, the due diligence programme should be documented and consistently implemented so that it can be audited and accounted for when the company comes to assess its own compliance validation.
Ensuring ongoing compliance
When working with a third party, businesses should be confident of that partner’s ongoing compliance. After all, there’s no point in outsourcing an issue if you then spend all your time worrying about the partner! Thankfully, many third party service providers have a direct relationship with the card payment brands (VISA, Mastercard etc) or their member banks (Barclays, Lloyds etc) and therefore inherit an obligation to demonstrate compliance with relevant controls to the services they provide. The same principle applies for service providers that are engaged by merchants or other entities.
Service providers are typically given the following two choices when it comes to validation of their ongoing compliance:
- Annual assessment:Service providers can undergo an annual PCI-DSS assessment(s) and provide evidence to demonstrate their compliance to their customers
- Facilitate on-demand assessment(s):Service providers must facilitate and participate in their customer’s PCI-DSS reviews upon request
Both are viable options, although providers that undergo annual assessments run a greater risk of slipping out of compliance between checks. On-demand assessments generally keep providers on their toes more and ensure ongoing compliance, making them the preferable option.
Clearly defining and documenting responsibilities
When entering into any form of partnership, it is essential that both the business and the third party provider are clear about what their responsibilities are. This can avoid complicated and costly disputes further down the line. The high-level detail should always be contained in the contractual agreement, while detail about individual controls should be specified within a Third-Party Shared Responsibilities Attestation Matrix.
To avoid any misunderstanding, the typical clauses that should be covered in the contractual agreement between the two parties must include (but are not limited to):
- Industry definitions
- Scope of service
- Compliance obligations
- Compliance validation
- SLA
- Breach notification
- Termination
- Insurance
- Reporting changes
- Right to audit
PCI-DSS v3.0 introduced the need for a more detailed specification of responsibilities. Identifying and documenting these shared responsibilities can take considerably more time and effort than when the responsibility for compliance controls resides with only one party.
Leveraging service providers effectively for maximum ROI
Monitoring the compliance of third-party service providers does require additional effort, but it also provides the opportunity to reduce risk and the scope of compliance at the same time. Savings could also be made if the combined cost of outsourcing and monitoring is lower than doing it all in-house. This can be accomplished by migrating non-core activities, sensitive data or internally managed processing to a compliant service provider. This decision usually requires the company to re-engineer their processes but could result in long-term cost savings.
One recent example we have dealt with at Aeriandi was a merchant looking to securely store call recordings that contained sensitive card payment authentication data due to government regulatory mandates. The merchant’s existing supplier was charging extremely high costs, yet was providing a service that wasn’t PCI-DSS compliant. By migrating to Aeriandi, the merchant achieved compliance as desired, but also made significant budgetary savings in the process, almost as a by-product.
Third-party partners now have more responsibility to ensure compliance
In the past, in order to try and satisfy the 12 requirements of PCI DSS, merchants would have to ask their service provider to acknowledge their responsibility for the security of cardholder data in their contract. However, there was no incentive or obligation for the service provider to sign such an agreement, making it extremely difficult to enforce. The good news is this has changed. With the release of PCI DSS v3.0 at the end of 2013, service providers are now mandated to include an acknowledgment of this responsibility in their service agreements. This amendment allows merchants to meet this PCI-DSS requirement and provides far greater peace of mind at the same time.
So, is it worth it?
As discussed, to achieve a successful partnership with a third-party provider, businesses must invest time and effort. Reaping the full benefits requires thorough vetting, clear agreement of responsibilities and regular compliance assessments. In return, outsourcing certain aspects of compliance can save money and resources in the long run, and ensure ongoing compliance with PCI-DSS regulations. As with anything, the more you put into the relationship, the more benefits you will gain from it, and achieving peace of mind that your company is protected against serious data breaches is certainly a gain worth working for.
[su_box title=”About Matthew Bryars” style=”noise” box_color=”#336588″][short_info id=”60443″ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.