Balancing PCI Compliance with
Third-Party Service Providers
We tend to focus a lot of attention on third-party payment applications and e-commerce websites due to the increased risks and recent data breaches, but what about those third-party vendors that are physically residing on your campus?
Requirement 12.8 states that organizations must maintain and implement policies and procedures to manage third-party service providers. A service provider is defined by the PCI SSC as a:
“Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data.”
There are many variances in how different relationships are configured, so your organization will want to review each third-party vendor on a case-by-case basis to ensure they are not creating unnecessary risk or additional compliance requirements for your organization. Take advantage of your CampusGuard QSA (little secret…the Security Advisors may seem nice, but they are very used to being the “bad guy” when it comes to requiring third-party compliance!).
Below are some of the more common service provider relationships we come across during our PCI Assessments, along with a high level summary of your organization’s PCI compliance responsibilities.
PCI Compliance Responsibilities
How can you get ahead of situations like these, ensure new vendors on campus are compliant from the onset, instead of spending time and resources after the fact to correct them?
Your Procurement team can be a great resource and should know to contact you when new proposals or requests related to payments come in. Their procedures should specify that anytime they receive a contract that mentions payment card information in any way, they need to involve the PCI Team or appropriate office. That way you can review what is being proposed, assist in the determination of the vendor’s compliance status, and provide the necessary contract language regarding PCI compliance responsibilities, required documentation, etc.
You can also include procurement in your general PCI awareness training each year so they are up to date on the importance of compliance and more educated about potential PCI red flags that may come across in contracts. Ensuring staff are also participating in this training will also go a long ways in preventing them from signing a new third-party contract without following the official due diligence process outlined in your payment card policy.
Some additional guidance from CampusGuard’s Security Advisor Team:
[Hobby]: Colleges and universities often use third-party service providers to handle aspects of their payment card processing. As mentioned above, the PCI DSS requires merchants to oversee the compliance of those third-parties. There are three areas key to performing this oversight:
Due Diligence: Third-party service providers should be vetted for PCI compliance. This vetting should ensure third-parties appropriately manage security threats and risks. Also, be sure to understand if your third-parties have contracted other third-parties themselves.
Written Agreements: Organizations should have written agreements with all Service Providers ensuring that those Service Providers understand and formally agree to their responsibilities and obligations. CampusGuard does have examples of sample contract language for many of the outlined scenarios and can work with your teams on these agreements.
Regular Review: Organizations should have a monitoring program in place for tracking their Service Providers’ PCI DSS compliance status ongoing.
I’ll end by emphasizing that while Service Providers are often both beneficial and essential to your payment card processing, they represent significant risk. The Ponemon Institute reports that almost 60% of companies have experienced a data breach caused by a third-party, and that third-party involvement is the single most expensive factor in the cost of breaches (Data Risk in the Third-Party Ecosystem, 2018). The PCI SSC has also issued its own guidance: Third-Party Security Assurance.