Compliance with PCI Security Standards is crucial for any organization looking to conduct online credit card transactions. In today’s tech-centric world where customers increasingly prefer the convenience of online shopping to the hassles of visiting brick and mortar stores, organizations that take PCI DSS compliance lightly have a death wish.
Until recently, the target of PCI’s compliance efforts was on the merchant, with the relationship between the merchant and a third-party service provider not clearly defined. The burden was on the merchant to ensure that their third-party providers complied with PCI DSS requirements. However, the PCI Security Standards Council has now released a new information supplement geared towards third-party providers, including data centers. This supplement offers a framework for a security assurance program to ensure that third-party service providers avoid data breaches and keep payment data secure, and they can meet PCI DSS requirements.
This new supplement, titled “Third-Party Security Assurance Information Supplement,” does not have any new compliance requirements. It is rather an expansion of guidance, specifying the policies and measures already in force which third-party providers have to incorporate. The supplement specifically lists how companies can comply with the Payment Card Industry Data Security Standard (PCI DSS) requirement 12.8, and it walks through various types of issues, such as how to determine scope, how to ensure due diligence in the relationship, how to establish a good relationship with service providers and more. The supplement also guides merchants to craft detailed written agreements when outsourcing, making sure that all parties are aware of their obligations.
This new supplement, with inputs from over 160 organizations that are a part of the council’s Special Interest Group (SIG), should go a long way in helping merchants and third parties handling cardholder data understand their security roles and responsibilities. It will also help merchants vet third-party providers better before establishing business relationships with them.
PCI-DSS is a set of pragmatic best practices relating to data protection, network security, encryption, access control, monitoring, testing, policy development and more, all furthering the security of any organization. Organizations and data centers would do well to implement the specifications of these practices, even without the compliance requirement.