How PCI DSS requirements help inform third-party risk management

Written by Lisa Middleton | 4/23/21 8:00 AM
Globalisation and competitive pressure is leading to greater outsourcing and more complex supplier relationships. How can PCI DSS principles help inform management of third-party risks more generally across a business?

The payment industry has a long tradition of outsourcing, partnering and collaborating across a fairly wide set of organisations. Many parties are involved each time a customer buys something with a plastic card, pays a bill or sends funds overseas.

The wider business world is waking up to the concept of the extended enterprise. This is when a number of organisations work together to achieve something that none of them could have realised alone.  

Unlike a traditional supply chain, where value – and risk – travels up and down a set of organisations in a linear fashion, the extended enterprise is a complex network of relationships. Risks arise from the underlying outsourced activity, but also from involvement with third parties. Being interconnected, all organisations are affected by the culture and practices of others in their network.

Businesses should be concerned about extended enterprise risk. The Covid-19 crisis is a good recent example of why. It showed the impact of food supply chain shocks and reliance on outsourced IT and call centre staff.

Any organisation is only as strong as its weakest link, which may be a third party. It may even be a so-called ‘fourth party’, a third party of one of its third parties. The Payment Card Industry Security Standards Council (PCI SSC) realised this in the context of protecting sensitive cardholder data.

It published Information Supplement: Third-Party Security Assurance to help organisations and their third parties better understand their roles in securing card data, thereby reducing risk. However the principles are more generally applicable.

 

1. Conduct due diligence on third parties

To protect your business from risk and ensure that you get best commercial value, conduct due diligence on potential third parties. Your procurement department can provide in-depth advice. But essentially, examine the third party’s financial background, trading history, operational background, competence to conduct the contracted services and legal/ethical considerations. 

Generate a risk profile of the third party, with recommendations on how you may be able to mitigate those risks. This will also assist in developing the commercial and financial conditions in the final contract.

 

2. Agree a robust, written contract, policies and procedures

A robust, written contract binds the third party to operate in a prescribed manner. It’s another way to manage third-party risks as part of a matrix of measures. You are advised to have a contract in place with every third party that provides services to you.

Broadly, the contract should clearly define respective roles and responsibilities, and help protect you from financial and reputational risks as a result of third party actions.

 

3. Monitor activity

Risk management is never a one-and-done activity. Anything could change in your business, that of your third party, the wider environment and so on. The importance of monitoring cannot be overstated when it comes to third-party risk management. Because while a business may outsource the function, they retain the reputational risk and sometimes the legal liability if things go wrong.

Depending on the nature of the services contracted, monitor the performance of the third party. Have policies and procedures in place to action the results of this monitoring. And also monitor the effectiveness of your own monitoring.

 

4. Manage the relationship

Third-party relationships are potentially significant. Manage them as you would one of your largest merchant accounts. Dedicate sufficient internal resource to the relationship. This will likely involve almost every function in your business from legal to finance, IT to risk management.

Effective communication is essential in any relationship, so schedule regular reviews with your third parties. Share business plans and strategic direction with them; encourage them to be similarly open in the partnership.

 

Want to know more?

For a free consultation on your payment data security needs, e-mail sales@pxpfinancial.com or complete your details on the contact form below.