Beyond AoC: Third-Party Service Provider Reviews
Many organizations utilize third-party vendor solutions to help outsource compliance and security responsibilities, but a breach of a third-party’s systems can still cause a significant headache and reputational damage for your organization. Even though your teams are being pulled in many different directions right now, third-party compliance should remain a focus.
How many of your merchants have partnered with third-parties to outsource a portion of their payment processes? Carefully evaluate third-party service providers for any operational, compliance, legal, and reputational risks that could potentially impact your organization. Before merchants enter into a new partnership with a vendor who either handles cardholder data or can impact the security of cardholder information, they should undergo a formal review and approval process.
As the PCI team, what should that review process look like? Outside of the typical requirements for ensuring there is language in the contract dictating the vendor’s responsibility to protect sensitive information, and collecting appropriate compliance documentation (i.e. the Attestation of Compliance), what else should be included in your due diligence process?
Below are some of the things you should be asking new vendors during your review process:
Do they take payments in person, by mail, or over the phone on your organization’s behalf?
If payments are taken, how are the transaction entered (e.g. through workstations with keyboards into a website, into PTS approved POI devices, etc.)?
If PTS approved POI devices are utilized, are they part of a validated point-to-point encryption (P2PE) solution listed on the PCI Council’s website?
Request a data flow diagram that depicts the flow of the CHD and all systems and parties involved with the transaction.
If payment card information is being entered into websites, who are the additional third party service providers involved and are they PCI compliant (i.e. able to provided current/valid AOC as well as an updated one annually)? Remember, even third parties that don’t literally process, store or transmit CHD can still be a PCI Service Provider if they can affect the security of the process.
Specify that the third party has PCI compliance documentation/proof specifically. SOC II reports, network diagrams, ASV scans, PCI certificates, etc. are all great measures of compliance but, at the end of the day, there needs to be a valid AOC for Service Providers (preferably signed by a QSA). Remember the AOC needs to be current, so you will need to verify the expiration date of the AOC.
If the third party has an acceptable AOC, what processes and services does it cover? Many times AOC’s exist, but don’t necessarily cover the systems or processes being touted.
Is the third-party regularly testing their applications, i.e. through vulnerability scanning, penetration testing, etc.? If they have a valid AOC, this should state that they are meeting these requirements, but it doesn’t hurt to also pose the question to help get a better feel for their security knowledge and posture.
Are there any shared PCI responsibilities (i.e. things your organization is responsible for) or is the third party responsible for everything? Be sure you are in agreement with the vendor as to who is responsible for which of the 300+ requirements and have that agreement documented for reference.
In the event of a data breach, what is the incident response plan? When is your organization notified and how? Who is responsible for notifying any affected individuals? Does the vendor have cyber insurance?
Once you have reviewed a vendor and determined they are an acceptable partner, don’t forget to continue to monitor their performance and adherence to the requirements. They should be providing you with an up to date AOC annually. Work with your team to determine if the individual merchants or the PCI Team will be responsible for tracking third-party compliance as part of the vendor management program. And continue to engage with your merchants throughout the year so everyone understands the requirement to consult with the PCI team and receive formal approval before partnering with any outside vendors when payment card information is involved. Some additional guidance from the Security Advisor team:
[Burt]: Understand exactly how each third party takes payments, as well as any partners they use in the process. Another key step is for all parties involved to know their detailed PCI responsibilities. No matter what entity holds the actual merchant ID involved, there will more than likely be responsibilities and PCI requirements to share. There seems to be a growing trend of third parties wanting to own less and less of the process these days, which can lead to confusion and misunderstanding unless everyone is on the same page. Remember, outsourcing payment activities/processes does not equate to having no PCI compliance obligations.