Last month, we hosted a webinar, alongside The Payments Academy, that addressed the challenges of managing third parties who don’t recognize their role and responsibilities in the e-commerce space.
Understanding the extent of your e-commerce outsourcing is crucial for determining your organization’s responsibilities regarding PCI DSS compliance. Some models or integrations allow third parties to impact the security of payment card data, such as by hosting web redirects to the payment page or embedding payment forms. Other third-party interactions directly involve payment card data security, including payment gateways and processors.
While this is currently a hot topic, we think it’s important to go back to the basics regarding managing third-party service providers (TPSP).
- Establish and communicate a review process so your organization knows where to begin when a merchant department wants to engage with a new TPSP. This process may include:
- Reviewing a data flow diagram.
- Ensuring the Attestation of Compliance (AoC) supplied meets the services of the engagement.
- Vetting the AoC is valid by the dates listed.
- Documenting the roles and responsibilities of each party.
Keep in mind, that all PCI DSS requirements must be covered in the documented responsibilities and agreed upon by all parties.
- Once the review process has been completed and all parties agree to move forward, protect the organization by ensuring the contract and agreement language holds each party accountable. View our checklist for TPSPs. While not required in the DSS, our best practice recommendation includes these safeguards within the contract:
- Acknowledgment of Responsibility for PCI DSS compliance
- Notification of breach
- Proof of Compliance documentation upon request
- Maintaining compliance and termination options
- Requirement 12.8.1 requires the organization to have and maintain a list of TPSPs. We’ve seen this as simple as a chart or table and as complex as a database. Keeping in mind the simplicity of use leans itself to being maintained, so don’t overthink it. Some helpful data points to include might be:
- Contact information (technical and customer rep)
- Services provided (i.e., hosted payment gateway)
- Who is the merchant of record?
- URL to Final Payment Page/Form
- Who has the vulnerability scanning responsibility?
- Compliance dates from the supplied AoC
Ensure the right people have access to this list. While it may be limited to the PCI Team, for business continuity, it shouldn’t be a file accessible by only one person in the organization.
- The fun doesn’t stop there. Just as your organization maintains PCI DSS compliance, so should the TPSPs. It’s critical to continuously track the compliance status of the TPSPs you engage with. During your annual scope review, ensure the TPSP’s scope hasn’t changed, such as modifications in services that would require a reassessment of responsibilities.
As a dedicated Qualified Security Assessor (QSA), CampusGuard is here to provide support, answer questions, and simplify the process of achieving and upholding PCI DSS v4.0 compliance. Contact us to get started!
