This is page 2 of:
When You Change Processors, What Happens To Your Data?
Although you can outsource your processing, you cannot outsource your responsibility. By that I mean if a third party gets breached and loses your data, you are likely to be held responsible even if that data is a year old and you no longer work with that third party. You will get the headlines and likely the fines, too.
A related situation is when you want to access your data but can’t. If you change processors and want to get back your old transaction data, does your original processor provide it or–better yet–send it along to your new processor? Or, what if your tokenization, encryption or key management vendor goes out of business? Can you get your original data back? Is there a provision in your contract for some form of data escrow where you can retrieve your original data either in case of business interruption or if you just want to change vendors?
At this point, we have to address the issue of whether the actions I’m describing would effectively put all the data back into your PCI scope. Particularly in the case of tokenized or encrypted data, which is generally considered to be in your PCI scope. The exception is if you, the merchant, have no ability to get back to the original clear text data. This exception should allow you the leeway to protect your organization.
The idea is that you do not have access to the clear text data unless and until you need to actually take it back, per the conditions spelled out in your contract. For example, in the case of tokenized or encrypted data, you cannot access that cardholder data unless, say, the vendor’s business fails. Should you need to exercise this provision, though, at that point and only at that point, would the data come into your PCI scope.
I would hope service providers of all types would see the benefit in what I’m suggesting. In the case of a processor, it might be reluctant to ease your transition to a competitor. But obstructing the process only guarantees that processor will have no chance whatsoever of getting back your business the next time around. For a tokenization or encryption provider, offering some form of data escrow reduces the customer’s risk and gives potential customers more confidence in the company. There may even be a business niche for such data escrow providers.
Alternatively, if you, the merchant, decide you don’t want or need your old data, your contract can obligate the service provider to purge your data permanently on your orders. Just don’t forget to do it if that’s your plan.
Merchants and QSAs may disagree or have difficulties with individual pieces of PCI Requirement 12.8. But that requirement is in place to help merchants protect the data they share with third parties–even after the initial contract has expired. Remember that to take full advantage of this safeguard, you need to have a long-range view and think beyond the initial term of your present third-party agreements.
What do your third-party contracts look like? Do you have provisions that go beyond the initial term and obligate your providers to return or purge your data? It is your data, after all. If you’re a service provider, what objections do you have to my suggestions? I’d like to hear your thoughts. Either leave a comment or E-mail me.
-Marc
May 28th, 2010 at 12:04 pm
Being both an online merchant and an insurer of this data, I find your comments are right on target. Your comment that the large retailer makes for better headlines than a third party processor is so true, but the truth is if the data is released, a good attorney is going to file suit against all parties involved.
It is the merchant that will be ultimately held liable for the loss of their customer data. However it is my understanding that if the merchant is no longer available to provide restitution, pay fines or penalties, then it could become the processor responsibility.