When You Change Processors, What Happens To Your Data?
Written by Walter ConwayA 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.
Have you ever wondered what happens to all your old card transaction data after you change your processor or acquirer? Most retailers have made such a change, and many make it a practice to rebid their card-processing contract every few years. After you move on, though, your data frequently doesn’t follow you. What are your responsibilities if this old data gets compromised?
Are you still responsible under PCI Requirement 12.8 for managing a service provider when you no longer have a relationship with that provider but it still has your data? Aside from PCI considerations, if a service provider–think tokenization vendor or loyalty program manager–simply goes out of business, how will you get your data back?
(Editor’s Note: See related story about who is truly responsible under PCI for dealing with breached former processors.)
I am neither a lawyer nor do I work anymore for a card brand, so I can’t say for sure that you would be held responsible for a third-party data breach in the above situations. But I do know that a large retailer makes a better headline than an obscure third-party provider. That fact alone should be reason enough for you to take a fresh look at your third-party service provider contracts.
Requirement 12.8 is probably my favorite in all of PCI. It states that if a merchant shares cardholder data with any third party, the merchant is responsible for having policies and procedures in place to manage that third-party relationship. Exactly what those policies and procedures should be is spelled out in four sub-sections.
One reason 12.8 is my favorite PCI requirement is that every merchant–from the largest Level 1 retailer that requires a 100-page Report on Compliance to the corner store that outsources its processing and validates its compliance with the two-page Self-Assessment Questionnaire “A”–has to confirm explicitly it is managing all its service provider relationships.
Another reason it is my favorite: 12.8 implicitly recognizes that cardholder data is toxic and that it continues to be toxic long after the original transaction. If you are going to entrust an outside organization with your cardholder data, PCI obligates you to take certain safeguards. These safeguards include securing the third party’s agreement, in writing, that it will take responsibility for the cardholder data you entrust to the provider (12.8.2).
When you specify the contract details, then, it makes sense to ensure the terms carry on past the expiration of your current agreement and continue so long as the third party holds or has access to your data. Most CIOs will be familiar with such a continuing provision. Just about every non-disclosure agreement ever written includes one, whereby even after a particular project is over, neither party is free to disclose the other’s confidential information. The same thinking applies here.
The parallel for CIOs is to use 12.8 to put that same continuing obligation in your service provider agreements. In the course of PCI assessments, I have seen several of these agreements. I don’t recall too often, however, seeing an explicit recognition of the continuing value of the data beyond the initial term of the contract.
-Marc
May 28th, 2010 at 12:04 pm
Being both an online merchant and an insurer of this data, I find your comments are right on target. Your comment that the large retailer makes for better headlines than a third party processor is so true, but the truth is if the data is released, a good attorney is going to file suit against all parties involved.
It is the merchant that will be ultimately held liable for the loss of their customer data. However it is my understanding that if the merchant is no longer available to provide restitution, pay fines or penalties, then it could become the processor responsibility.