PCI Service Provider Dilemma: A Chain Can Control The Manager But Not The Managed

Written by Evan Schuman
May 20th, 2010

When a retailer outsources any function to a third party, it can protect itself through legal contracts (the threat to sue) and through early termination or simply not renewing the service (the threat to stop giving the third party money). But in the PCI payment-card-data-protection world, responsibilities and punishment for non-performance become a lot murkier.

In this week’s PCI column, Walter Conway makes an eloquent argument that chains must take special care to protect their data when changing processors. But Walt only briefly touches on the responsibility issues involving those processors. In Requirement PCI 12.8, the PCI powers-that-be mandate that the retailer properly manage the service provider, but they don’t say what happens if the service provider does something wrong anyway.

Consider a Fortune 500 manufacturer’s VP of Sales and Marketing. Let’s say she’s put in charge of managing a large advertising agency doing work for the chain. When things go wrong with that agency, the CEO might ask her what’s happening. But after the CEO reviews E-mails and sees that the VP did indeed instruct the agency properly—and that she tried to monitor that provider as closely as practical—he is satisfied that she is not at fault. Let’s call that Action Responsibility, where you’re responsible only for your own actions.

But during the same day, the CEO also learns that a huge client prospect has slipped away into the coffers of a direct rival. In that case, even though the sales VP did everything properly, all sales execs knows that a dead account is their fault, regardless of what they did.

This is the same rationale that holds that a CEO is at fault for major company problems even if he did not personally do anything wrong. It simply comes with the territory. This point could be called Results Responsibility, where you’re responsible for whatever happens in your area, either through your own actions or the actions of people who report to you on projects for which you are responsible.

Does PCI 12.8 see retailers as having Action Responsibility or Results Responsibility? And which should they have?

Requirement 12.8 speaks to a rule that a retailer must do a range of things to properly manage the service provider. But it’s mum on what happens if the service provider opts to ignore your dutiful management efforts.

The phrasing in subsection 12.8.2 gets the closest by saying “Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.” But it still doesn’t say whether the retailer is responsible should that properly managed service provider get breached.

A parent can give all of the proper instructions to a child, but if the child disobeys and breaks the vase in the shop, the parent is still responsible. Is that the intent here? Sure, the retailer can always sue the wayward service provider. But that sidesteps the issue of PCI responsibility. Where does it stop?

The payment landscape is sharply changing. Companies—such as Blippy—are actively using payment card data, even though they may not accept payment card payments. To be precise, the data they are using has nothing to do with the data they are getting if they do choose to accept a credit card. And yet those companies are clear of any PCI responsibilities.

Mobile companies—led by Apple—are trying to carve out a new payment environment where mobile charges appear on a carrier’s bill. If Apple, for example, uses iTunes to process payments and another company uses eBay’s PayPal, how does that play into PCI?

Perhaps we are at a stage where PCI needs to expand to anyone who uses credit and debit transactions? Perhaps a processor and other outsourced services should, in effect, have to subcontract PCI responsibilities from the retailers. That way, if a processor screws up and a chain’s data is damaged, any fines and punishment would go directly to that processor and not impact the retailer at all.

Responsibility should have its basis in fairness. And with today’s expanding payment arenas, fairness is something we’re seeing far less of.


One Comment | Read PCI Service Provider Dilemma: A Chain Can Control The Manager But Not The Managed

  1. Robert Martell Says:

    While it would be nice to see that the customer is not impacted, I don’t see that happening, no matter how this all falls out.
    Higher prices, higher fees. Somehow the consumer will pay for it.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.