As discussed in one of our recent blog posts, PCI DSS v4.0 introduces additional requirements for third-party service providers, and we recommended that you begin reaching out to vendors now to inquire about their plan for transitioning to and meeting new requirements under v4.0.
Along with these proactive conversations with your merchant departments and any involved vendors, CampusGuard also recommends the PCI Team take some time to officially inform and prepare senior leadership and your procurement/legal teams for possible challenges that may arise as we reach the upcoming migration date for v4.0 on March 31, 2024.
For example, how will the organization respond if challenges arise when requesting updated compliance documentation from current third-party vendors? What if a vendor ignores your requests or refuses to provide a written acknowledgement of PCI responsibilities or fails to provide a current, accurate, and completed Attestation of Compliance (AOC)? What if a vendor responds and let you know they are not planning to meet the new requirements under v4.0? Does your organization require AOCs to also be signed by a QSA? If so, is the vendor prepared to successfully complete a Report on Compliance under PCI DSS v4.0?
It is typically not a quick or easy process to terminate a vendor relationship or evaluate, select and contract with a new vendor. Who is going to be responsible for breaking the news to a merchant department that they are no longer allowed to use a specific vendor? Will senior leadership back that decision, and can the organization legally break a long-term contract with a vendor if they are no longer compliant?
It will be important for organizations to review current PCI contract language to see if terms are included that state a vendor’s responsibility to provide an up-to-date AOC annually, and to maintain PCI DSS compliance for the duration of the agreement term. The contract language should also stipulate that the vendor must define which PCI DSS requirements are the responsibility of the third-party and which are the responsibility of your organization, including any shared responsibilities. Outline terms for which the vendor must immediately notify your organization if it learns it is no longer able to maintain PCI DSS compliance and/or provide the steps being taken to remediate non-compliance.
Work with your procurement teams now to review current agreement language and build in necessary terms through a possible addendum or as contracts approach renewal dates. It is also important to flag agreements for applications that could potentially involve payment processing in the future (i.e., it is not a feature currently enabled, but something a department could easily switch on if desired).
Don’t wait until next year to start discussing these possible scenarios. Defining your vendor oversight program and involving senior leaders is critical. Start by getting answers to these questions:
- Who is responsible at the organization for collecting third-party compliance documentation on an ongoing basis?
- Is IT Security involved in initial vendor risk assessments? Document how, when, and their role.
- Is IT Security involved in periodic reviews of a third-party service?
- Does the central PCI Team request updated AOCs annually or is this the responsibility of the individual merchant area that has contracted with the vendor?
Additional guidance from our Payments Security team:
[Harpool]: “Establishing ongoing vendor reviews and oversight plans is critical in maintaining compliance and ensuring customer data security. If the PCI team can proactively inform senior leaders and department leaders of the upcoming requirements and discuss potential risks involved for your organization if a third-party vendor is non-compliant, you can prevent many future headaches while effectively protecting your organization’s customers and reputation long term.
When you talk to senior leadership, discuss these upcoming documentation changes. Let them know you expect most will comply, but that some vendors may not be able to meet these standards, may not think they apply, or may elect to be non-compliant. Have that discussion now as you prepare for the new standard. In consultation with leadership, draft an outline of actions when a third party fails to comply. Define your institutional standard for using third parties that fail to comply with PCI DSS or other payment and data security regulations. Recognize your institution’s risks by using non-compliant vendors and understand which actions leadership will support, up to and including possible contract termination. Proactively informing senior leadership helps ensure everyone knows their third-party compliance responsibilities.
If all goes as planned, all third parties will fall dutifully in line and provide all necessary documentation and written assurances demonstrating they are compliant with PCI DSS and that payment and data security are two of their highest priorities. Some of you may have just had a nervous laugh after reading that. That’s because you know business with third parties sometimes goes differently than planned. We know vendors like to tell us ‘that no one has ever asked for that before.’ As threats evolve, so too must our compliance efforts. Embrace this response ‘We are all asking now.’ It’s high time they learned that the higher education community talks to each other frequently.
If you need help communicating this information to the right people, CampusGuard is here to assist you.”