IN August the Payment Card Industry Security Standards Council (PCI Council) published guidance aimed at businesses that engage third-party service providers (TPSPs) to store, transmit or otherwise process cardholder data on its behalf.
The guidance sets out common-sense steps and best practice relating to the vetting, engagement and management of TPSPs. It is written in plain English and is relatively user-friendly. The guidance acts as a reminder of a central principle of PCI compliance: the use of TPSPs does not relieve a service-recipient business of its compliance obligations.
What is PCI DSS? In a nutshell, the Payment Card Industry Data Security Standard (PCI DSS) is the global recognised set of standards to be met by any business that stores, processes or transmits payment cardholder data. PCI DSS was established and is maintained by the PCI Council which comprises five global brands – American Express, MasterCard, Visa Inc, Discover Financial Services and JCB International.
PCI DSS is not law. It is enforced through contractual obligations that flow between the global payment brands, the payment processing banks and ultimately to businesses that store, process or transmit payment cardholder data. Cardholder data is the data found on the cardholder’s card and includes the cardholder’s name, the expiration date and card number.
Why did the PCI Council produce the guidance? The aim of the guidance is to help businesses better understand their roles in achieving compliance with PCI DSS where the business’s cardholder data will be processed by a TPSP.
The guidance aims to address a common misconception that a business can dispense with its obligations under PCI DSS if it outsources the processing of cardholder data to TPSPs. The PCI Council has responded on this point in a number of materials (including in the FAQs on its website).
The guidance goes further by describing the division of compliance responsibilities between businesses and their TPSPs, and describing in detail the considerations businesses should have in mind in the event that they appoint a TPSP to process cardholder data.
What does the guidance say? It describes best practice for the appointment and management of TPSPs. Much of it describes ‘common-sense’ steps to assist the business in achieving compliance with PCI DSS.
The guidance covers the following areas:
• Scoping – businesses should seek to determine the scope of TPSP’s involvement with regard to the processing of cardholder data and assess the associated risk.
• Due diligence – businesses should undertake due diligence to determine whether the proposed TPSP is appropriate and whether the appointment could negatively affect its PCI DSS compliance.
• Engaging the TPSP – if a business decides to engage the TPSP, it should define and document its expectations in the service agreement which should also detail the remedies available to the business, should the TPSP fail to comply with its obligations.
• Monitoring the TPSP – the business will need to monitor the TPSPs in order to comply with its PCI DSS obligations. With this in mind the guidance suggests that businesses should maintain a TPSP-monitoring procedure and the guidance provides a high-level description of the key components of a procedure.
The guidance also includes helpful resources such as a template roles and responsibilities matrix, describing the key responsibilities to be allocated between a business and its TPSP, which can be appended as a schedule to the business’s services agreement with the TPSP.
What does this mean for your business? Firstly, the guidance acts as a reminder that every business that stores, transmits or processes cardholder data is responsible for ensuring PCI DSS compliance, whether or not a TPSP is involved.
Secondly, the guidance assists businesses that are working towards compliance – it sets a new benchmark for businesses that already have procedures in place and can be used as a framework (albeit only in relation to the engagement of TPSPs) for businesses that are starting from scratch.
Thirdly, being PCI DSS-compliant can help businesses that are data controllers establish data protection compliance. However, PCI DSS compliance in itself does not guarantee data protection compliance nor does it eliminate the risk of data compromise.
Finally, by issuing this new guidance the PCI Council has given fair notice of what good practice looks like in the vetting and management of TPSPs. This level of transparency (in what is otherwise a technical and jargon-filled subject matter) puts the onus on businesses to undertake the relevant adjustments and makes it difficult for non-compliant businesses to plead ignorance. ?
Uchechi Okereke is a solicitor at Wragge Law
Further information on the guidance can be found at www.pcisecuritystandards.org/
• Ensure third parties that store, process and/or transmit card data or are connected to the cardholder environment provide evidence that they have maintained their PCI DSS compliance and are still registered with the card schemes.
• If using a third-party payment application in your environment, ensure the product and particular version you are using is PA DSS compliant and ensure the guidelines provided by the supplier are fully adhered to.