When You Change Processors, What Happens To Your Data?

Written by Walter Conway
May 19th, 2010

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Have you ever wondered what happens to all your old card transaction data after you change your processor or acquirer? Most retailers have made such a change, and many make it a practice to rebid their card-processing contract every few years. After you move on, though, your data frequently doesn’t follow you. What are your responsibilities if this old data gets compromised?

Are you still responsible under PCI Requirement 12.8 for managing a service provider when you no longer have a relationship with that provider but it still has your data? Aside from PCI considerations, if a service provider–think tokenization vendor or loyalty program manager–simply goes out of business, how will you get your data back?

(Editor’s Note: See related story about who is truly responsible under PCI for dealing with breached former processors.)

I am neither a lawyer nor do I work anymore for a card brand, so I can’t say for sure that you would be held responsible for a third-party data breach in the above situations. But I do know that a large retailer makes a better headline than an obscure third-party provider. That fact alone should be reason enough for you to take a fresh look at your third-party service provider contracts.

Requirement 12.8 is probably my favorite in all of PCI. It states that if a merchant shares cardholder data with any third party, the merchant is responsible for having policies and procedures in place to manage that third-party relationship. Exactly what those policies and procedures should be is spelled out in four sub-sections.

One reason 12.8 is my favorite PCI requirement is that every merchant–from the largest Level 1 retailer that requires a 100-page Report on Compliance to the corner store that outsources its processing and validates its compliance with the two-page Self-Assessment Questionnaire “A”–has to confirm explicitly it is managing all its service provider relationships.

Another reason it is my favorite: 12.8 implicitly recognizes that cardholder data is toxic and that it continues to be toxic long after the original transaction. If you are going to entrust an outside organization with your cardholder data, PCI obligates you to take certain safeguards. These safeguards include securing the third party’s agreement, in writing, that it will take responsibility for the cardholder data you entrust to the provider (12.8.2).

When you specify the contract details, then, it makes sense to ensure the terms carry on past the expiration of your current agreement and continue so long as the third party holds or has access to your data. Most CIOs will be familiar with such a continuing provision. Just about every non-disclosure agreement ever written includes one, whereby even after a particular project is over, neither party is free to disclose the other’s confidential information. The same thinking applies here.

The parallel for CIOs is to use 12.8 to put that same continuing obligation in your service provider agreements. In the course of PCI assessments, I have seen several of these agreements. I don’t recall too often, however, seeing an explicit recognition of the continuing value of the data beyond the initial term of the contract.


One Comment | Read When You Change Processors, What Happens To Your Data?

  1. Larry Harb Says:

    Being both an online merchant and an insurer of this data, I find your comments are right on target. Your comment that the large retailer makes for better headlines than a third party processor is so true, but the truth is if the data is released, a good attorney is going to file suit against all parties involved.

    It is the merchant that will be ultimately held liable for the loss of their customer data. However it is my understanding that if the merchant is no longer available to provide restitution, pay fines or penalties, then it could become the processor responsibility.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.