Have PCI, Will Travel
Written by Evan SchumanGuestview Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.
Get out your "traveling pants," because you’re going to have to start visiting any company to which you entrust credit card data.
According to a summary of the forthcoming PCI 1.2 standard publicly released by the PCI Standards Committee a few weeks ago, if you use third parties to collect, process or store confidential data for you, then you need to do more than simply get a letter from them once a year that says they are doing right by your data, they’re PCI compliant or what have you.
Merchants cannot just outsource the handling of confidential data to the lowest bidder and assume that all is well for the 364 days from one PCI assessment to the next. The real questions are, can merchants afford these visits and are there any ways to accomplish this task that are less obtrusive than the phrase "vendor visitation program" implies?
Why you should be "your brother’s keeper." We’ve talked to many merchants who say they are having enough problems just managing their own security and compliance, so the very idea that they need to take on the problem of verifying that their business partners are secure/compliant is simply beyond their current capabilities.
However, over the last 25 years, a giant spider web of service providers has emerged, complete with extensive sub-contracting of software development and data management. In fact, it is extremely likely that the typical retailer has no idea where its data (including credit card data, customer and employee PII) is actually being kept, because their contractual visibility only goes "one layer deep."
Retailers know which company they contracted with, but they don’t know with whom their service providers contracted. I would say it’s a "rat’s nest" but I already said "spider web," so you get the idea.
BITS started the party, but PCI brought the "hard stuff." The whole idea of making sure that service providers are properly protecting data has been well codified by BITS, the Financial Services Roundtable (www.bitsinfo.org) as part of the security criteria that the group developed for financial institutions to use when evaluating their service providers.
Although their criteria are excellent, the PCI assessment process is more formalized, because it uses an independent assessment process (the QSAs). The additional rigor of the PCI process has resulted in some service providers whose customers, including retailers and financial services firms (e.g., call centers, software development, data center collocation), are both on the receiving end of voluminous, highly customized questionnaires that combine BITS and PCI as well as receiving many more visits from their own customers.
Typically, only the largest retailers have vendor visitation programs today. But if the PCI 1.2 changes play out the way we’re expecting, the number of visits to service providers will increase several fold. But it turns out that all this traveling gets expensive, what with gas prices and all. So, we’re expecting changes in the market.
Enter the "we’ll visit your service providers" service providers. Why should merchants visit their service providers when they can just hire another service provider to do it for them? Yep, this is actually a real business—a real business that’s likely to get a lot bigger over the next two years.
Of course, the service can’t be just visiting the service providers. These businesses will have to "amp it up" and do more full-blown assessments. That’s how these service providers will differentiate on the high end. On the low end, the focus will be getting more service providers "checked off" for less money. But the risk, of course, will fall to the retailer.
To minimize the risk, the best plan is to adhere closely to the PCI standards but to not limit their application to cardholder data. After all, most merchants have tons of data entrusted to third parties. It would be a shame to have a vendor visit/assessment program that only focuses on protecting one type of data. So whether you visit your service providers yourself or hire someone to do it for you, it’s important that you not only follow the standards but develop a "holistic" plan that investigates the protection of all confidential data.
This comprehensive or holistic approach for investigating and managing third-party security is one of the PCI Best Practices that we at the PCI Knowledge Base developed for the National Retail Federation. If you’re a retailer, we want to get you involved in the best practices study too. It’s 100 percent anonymous. Just send us an E-mail at David.Taylor@KnowPCI.com.
-Marc
October 3rd, 2008 at 12:25 pm
I am concerned about the sentiment of this. If taken to its logical conclusion, this would state that all of the work that we have all done to get PCI-DSS to this point was absolutely meaningless. If a merchant cannot rely on the findings of Service Provider’s independent Qualified Security Assessment firm to perform an onsite assessment then we cannot rely on the payment system at all.
In the last PCI-SSC meeting, there were rumblings of what Mr. Taylor said, but no clear cut guidance was given. It was more like, you might want to do “this” or you might want to do “that”, but it was far from dictatorial. What was made clear is that the PCI-SSC has strengthened their requirements by adding a much more concise QA process for all future validations which will help.
As a employee of a Level 1 Service Provider and Registered Agent of the card brands, I can tell you that the review process is far greater than even that of your largest level 1 merchants, a SAS70/2 audit, etc.
Now I can understand Mr. Taylor’s belief, if the third-party holding one’s data is small and untried, and has received a “phone” assessment. However since it is a requirement to be PCI-DSS compliant, then I believe that a copy the Service Provider’s CORA, and/or ROV’s for any PABP/PA-DSS software components, and an understanding of that company’s financial stability should suffice for due diligence.
Once the data is removed from the local POS systems running at merchant locations, then, and only then, should we turn our attention to the Service Provider community. We of course should require rigorous PCI-DSS validation of all of those third-parties, but we need to stop the bleeding of transactions into the wild from merchants first. Many Level 4 merchants simply cannot afford and honestly do not care about the IT requirements in order to make themselves compliant, but the industry as a whole has an obligation to protect the merchants and secure the money system. This is especially important in this current economy.