New PCI Third-Party Guidance: No More Out-of-Sight-Out-of-Mind

The Payment Card Industry Council has issued new guidelines for how retailers, banks and other companies that take credit and debit cards should deal with third-party service providers.

The new PCI guidance, which was published in early August, comes in the wake of the massive Target breach discovered last fall, in which a third-party supplier’s breached network was the doorway into Target’s systems.  But the guidance document has been in development much longer than that by a special-interest group composed of merchants, bankers and others involved with payment cards, according to PCI Council Chief Technology Officer Troy Leach.

The 47-page document, “Third-Party Security Assurance,” doesn’t include new requirements, but is focused on best practices for meeting the requirements of the PCI Data Security Standard. It includes detailed advice for vetting third-party service providers, developing written agreements with them, then monitoring and communicating with them.

That’s much needed, said Jeff Hall, a Senior Security Consultant with FishNet Security who has been a PCI security assessor since 2007. “In a lot of organizations, based on my experience, the attitude is, hey, security is the third-party’s problem,” Hall said. “There’s this thought process that if I push it off to somebody else, then it’s not my problem.”

That out-of-sight-out-of-mind mindset is especially a problem when third-party service providers outsource some of their own work to still other third parties, or when they make other changes that aren’t communicated to a retailer or bank until the next annual security audit comes around.

“To a degree, that’s why you go to third parties,” Hall said. “You’re looking to them for their experience and expertise to take a problem off your hands. But that doesn’t just mean that you walk away. You still have skin in the game here.”

While PCI requirements themselves are necessarily fairly general — the best way to secure any payments environment depends on how it’s structured and the technology that’s used — the new third-party guidance is much more detailed. It includes flowcharts for selecting and vetting third-party providers, along with checklists for creating written agreements and dividing responsibilities.

The new guidance also heavily emphasizes a theme of monitoring and communication between card-accepting entities and third-party providers, which has been lacking in PCI efforts in the past.

Security can’t be handed off — it has to be shared, Hall said. “Just because you’ve outsourced it doesn’t mean you’ve removed every bit of responsibility,” he said. And lack of security focus on the part of retailers and other card-accepting entities can’t be dealt with by outsourcing the job, either. “If you don’t have the discipline now, this is just going to speed up the problem,” Hall added.

And while Hall applauds the new guidance in general, there are a few spots where it remains fuzzy. Case in point: A note that reads: “Some payment card brands require certain types of service providers to validate PCI DSS compliance. Per payment card brand rules, for certain types of services, only those service providers who are listed and deemed PCI DSS compliant may be used.”

Both Visa and MasterCard maintain such lists of pre-approved suppliers who have paid to be certified, though strictly speaking no one is required to use them, Hall said. “Now, do they prefer that you use the certified providers? You bet. But all that is, is a paid-for list.” He suggested the note may have been included in case any of the card brands ever came up with a more substantial set of third-party supplier requirements.

But as a QSA, Hall still likes the idea of the detailed guidance full of specific examples. “The beauty of this document is that it gives people a framework to use as a risk assessment,” he said. “I think if people will just use that framework and do it, that’s probably the best thing the guidance does.”