Your organization may be PCI compliant, but is the company it outsources to?
Outsourcing is a hot topic in the world of PCI compliance as more organizations, including smaller merchants, grapple with the payment card industry's standard for keeping cardholder data secure. With those smaller merchants likely to outsource some credit card processing functions, the topic has taken center stage, says Dave Shackleford, director of Configuresoft's Center For Policy & Compliance.
"The bottom line is any third party that's handling the data has to be just as compliant as you do. Period," he says.
Companies that share cardholder data with service providers are obligated to contractually require that the service provider adhere to PCI Data Security Standard requirements.
"If you have a service provider that will be dealing with cardholder data, you have an obligation in your contract to say they must be PCI compliant and an obligation to actually validate where they are in compliance," says Phil Cox, principal consultant at security consulting firm SystemExperts.
Companies typically obtain a SAS 70, which usually satisfies PCI auditors, Shackleford said. In some cases, though, they may require a specific PCI audit of the third party. Before engaging in outsourcing activities, companies should consult with their acquiring banks, Shackleford advises. The acquiring bank is ultimately the liable party in the event of a breach, and the banks differ in their requirements, he says.
"See how they would like to proceed on getting a third-party, objective audit of the outsourced environment," he says
At the same time, however, companies can reduce the scope of their PCI requirements by outsourcing all payment card processing functions--a trend Cox expects many in the industry will follow because it's cheaper and quicker. "They're moving it off and saying they're not in the business of processing credit cards."
By having a third party handle all transmission, storage and processing of cardholder data, a merchant will greatly reduce the scope of its PCI self-assessment, says David Taylor, founder of the PCI Knowledge Base and research director at the PCI Security Vendor Alliance "You still have to file a self-assessment questionnaire, but you can file the simple one," he says.
Last year, the PCI Security Standards Council released four new PCI self-assessment questionnaires that experts says are streamlining compliance for many businesses, especially those that outsource payment card functions. Avivah Litan, vice president and distinguished analyst at Gartner, says the new SAQs replaced "an unrealistic one-size-fits-all questionnaire that did not reflect the reality of card-accepting businesses' operations and was not aligned with the PCI DSS itself."
Litan noted that the new SAQs distinguish between e-commerce merchants that outsource all payment processing and card data storage to a PCI-compliant payment service provider and e-commerce or brick-and-mortar merchants that have payment systems that connect to the Internet but don't store any data. She expected the new SAQ process to drive more card data outsourcing.
For example, the SAQ for organizations that outsource all cardholder data functions is very short and includes questions about the type of business and whether the third party handling cardholder data is PCI DSS compliant. The SAQ for organizations with point-of-sale systems connected to the Internet but no electronic cardholder data storage asks for confirmation that the payment application does not store sensitive authentication data after authorization, and whether a merchant is compliant with the 12 PCI DSS requirements. If not compliant for any of the 12, a merchant must provide a remediation plan and timeline.
Merchants should be wary, however, of vendors who claim that outsourcing will eliminate their PCI problems, warned Ken Smith, principal security consultant for IT solution provider Akibia.
"A couple vendors have says, 'We hold the data, so you don't have worry about PCI anymore'," he says. "The merchant with the online presence is ultimately responsible for taking care of their customers."
Visa maintains a list of service providers that are PCI compliant but places the responsibility on members to follow up with service providers with any questions about their compliance status. The PCI DSS Requirement 2.4 requires hosting providers with access to cardholder data to protect each merchant's hosted environment and data; Appendix A specifies that hosting providers must ensure logging and assessment trails are enabled and unique to each entity's cardholder data environment, and must have processes to provide timely forensics investigation in the event of a breach to any hosted merchant or service provider.
Appendix A notes that a hosting provider meeting the standard's requirements doesn't necessarily guarantee compliance for a merchant; each entity must comply with PCI DSS.
"When you outsource, you need to make sure the company you're doing business with is PCI compliant," Taylor says. "You need some form, signed letter, or compliance certificate."
Organizations should ask for the service provider's Report on Compliance issued by its QSA, Shackleford says.
Some companies are requiring more validation and are conducting detailed evaluations and even physical visits to the third party. Some financial-services firms and large retailers send audit teams to physically inspect whether their third parties are compliant.
"If you've outsourced parts or all of what you're doing from a card processing standpoint, you can't just rely on that letter," Taylor says. "If there's a problem with that [outsourcing] company, your brand gets dragged through the mud."
Indeed, it's not just a matter of having a contract that requires an outsourcer to be PCI compliant, says security analyst Randall Gamby. "You have to make sure they're willing to be audited by you and that they accept your controls on the information," he says.
Outsourcers sometimes push back on audit requests, though. "A lot of times the outsourced firms will try to fight you," Shackleford says. "They're notorious for doing that."
He recalled a sticky situation a few years ago when he was a security manager at an airline. This was before PCI DSS, but the company needed to comply with MasterCard's Site Data Protection program and like many airlines, used an outsourcer for a lot of payment card processing. The outsourced firm, however, balked at an audit.
"They were totally unwilling to let me onsite and take a look at what they had," Shackleford says. He ended up working with security directors at four other airlines to demand, and ultimately force, the outsourcer to comply with a SAS audit of its card processing environment.
It's also important to check outsourcers' ongoing security by conducting periodic reviews and audits. Contracts should include provisions for spot checks or other types of reports, Gamby says. "You need to understand what their ongoing security strategies are. They may be PCI compliant at a point in time, but it doesn't mean they're compliant forever."
Some organizations have moved from annual audits to quarterly reviews, noted Taylor: "Compliance and security are such that the changes in your company, in your third party, in the way you communicate with the third party that you've outsourced to, can compromise your compliance and security on an almost daily basis."
In the event of a breach at an outsourcer, it's the name of the company that outsourced which customers will see on the letterhead, he says. "It's all nice and good that you've outsourced and you can reduce the scope, but you still own the problem."
For that reason, Gamby suggests that companies include language in their outsourcing contracts that provides for monetary damages if a breach occurs. While the acquiring banks are ultimately responsible for the payment cards, they will likely shift costs onto the merchant who suffered the breach.
Marcia Savage is Features Editor of Information Security magazine and Editor of SearchMidmarketSecurity.com.
Send comments on this technical tip firstname.lastname@example.org.