Collaboration is one of the strengths of the payment industry. But any strength can also be weaponised as a weakness. We examine some of the ways that businesses can manage the risks of collaborating with third parties.
Any organisation is only as strong as its weakest link, which may be a third party. Indeed, in one high-profile case, attackers breached the security of a large US retailer via their air-conditioning vendor and stole the data of millions of credit and debit cards.
Effective risk management within an extended enterprise is no longer merely understanding your organisation’s supply chain in a linear fashion and managing it as such. It’s about understanding the network of different relationships your organisation may be part of, and how you manage the risks that arise together.
PCI SSC issue guidance
Back in August 2014, the Payment Card Industry Security Standards Council (PCI SSC) released Information Supplement: Third-Party Security Assurance to help organisations and their business partners reduce risk by better understanding their roles in securing card data. We review the content of the document – which has since moved from guidance to a PCI DSS audit point and been updated – and what it means for businesses that accept cards.
The PCI SSC defines a ‘third-party service provider’ as an entity that is not a payment brand (i.e. card scheme) directly involved in the processing, storage or transmission of cardholder data on behalf of another entity.
Various businesses could fall into this category, depending on the services they provide. For example, those securing cardholder data, installing or otherwise supporting point of sale equipment, protecting the cardholder data environment (e.g. at a data centre), or those who may have incidental access to cardholder data or the data environment, such as providers of managed IT services.
The PCI SSC makes clear that the use of third-party service providers does not relieve an organisation of ultimate responsibility for its data security compliance. Nor does it exempt them from accountability and the obligation for ensuring that its cardholder data and cardholder data environment are secure.
So, while an organisation may outsource a function, it cannot outsource the responsibility or liability for PCI compliance.
Want to know more?
For a free consultation on your payment security needs, e-mail email@example.com or complete your details on the contact form below.