Monitor Your Service Provider’s Security

Written by Evan Schuman
July 31st, 2008

Guest Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

The PCI compliance process strongly encourages payment outsourcing. Only merchants who fully outsource get to use the "short form," or version A of the PCI Self-Assessment Questionnaire.

For some merchants, who never wanted to collect or retain card data in the first place, this is regarded as a good thing. But it’s also a very expensive thing. You wind up paying anywhere from thousands to hundreds of thousands of dollars per month to service providers to manage data that you didn’t want in the first place. One of the merchants I interviewed for our Retail PCI Best Practices study described it as a "racket"—a way to generate a predictable revenue stream moving from the retail industry to the financial services industry.

Is PCI easier for service providers? If you’re considering outsourcing card data collection, or processing, or any other task to a service provider, ask yourself this fundamental question: If PCI compliance is so hard for merchants to achieve, why is compliance any easier for service providers that hold the payment data for hundreds or thousands of companies? The answer is: It isn’t easier. Actually, it’s harder. In fact, the structure of many service provider operations makes full "enterprise-wide" compliance impossible. However, as long as they can provide an environment for their customer’s data that is sufficiently segmented to prove compliance, they can get an assessor to approve them.

Rewrite your service provider contract. We’ve conducted more than 175 hours of interviews for the PCI Knowledge Base, and it’s clear that even though the use of outsourcing is on the rise, the use of due diligence procedures to review the service provider’s practices is still limited to the largest organizations, who have sufficient Internal Audit staff to make on-site visits to key service providers.

But most merchants bet the safety of their data on a 1-2 line statement in their contract (or contract addendum) with their service provider that requires them to be PCI compliant. Contracts or addenda that merely require PCI compliance and their acknowledgement of responsibility for security are sufficient for PCI purposes, but merchants need to be sure that a detailed inspection and reporting process is specified, so as to allow for due diligence to ensure the ongoing protection of corporate assets (i.e., your customer’s data).

Being "duly diligent" is a pain. The more you outsource, the more money and effort you have to devote to ensuring the proper handling of your business by the service providers you select. Most merchants cannot afford to implement some of the due diligence specified in their agreements, so the contracts have to be written such that due diligence is a right and/or an option that may be exercised under certain specified conditions, rather than an obligation. Otherwise, failure to conduct due diligence reviews could leave the merchant in breach of contract.

Do low-cost surveys to demonstrate due diligence. If you cannot afford to do on-site inspections of service provider security, gather data via surveys. Right now, you have to do this yourself. But it’s worth it to prove that you have conducted a due diligence investigation in case, God forbid, there is a security breach.

Understand the service provider perspective. When it comes to compliance and data security, the role of service provider sort of sucks these days. This is mainly because they have to comply with not only PCI but also SAS 70 and, if they provide services to banks, they must meet the BITS Master Security Criteria (MSC), too. As if that weren’t enough, they are constantly being visited by the Internal Audit staff of their largest customers and receiving customized questionnaires. In short, customized due diligence reviews won’t scale. But help is on the way.

Service provider ratings are emerging. We’ve talked to a couple of organizations that see payment and data security outsourcing as enough of a trend to justify creating third-party ratings services. The goal is to give merchants an objective, independent way to compare the effectiveness of various service providers in terms of their procedures, data security, etc., so that selecting service providers can be done on criteria other than price. This avoids commoditization. It also simplifies life for the service providers, who would prefer not to fill out hundreds of customized evaluations, which often combine some elements of PCI, SAS 70 and the BITS MSC, but never in the same way.

The bottom line is that merchants should only outsource payment processing or the management of any confidential data when they can implement a review process that is sufficient to demonstrate to a court that they are meeting legal standards of "due care" for customer data or other confidential information. Even though PCI compliance is easier if you outsource, merchants still own the brand, and liability (in the legal sense) cannot be outsourced.

  • If you’re a retailer, we want to get you involved in the best practices study we’re doing for the National Retail Federation. If you’d like to participate, send me an E-mail at

  • advertisement

    Comments are closed.


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.