Outsourcing operational responsibilities
While it is not possible to outsource compliance responsibilities, it is not uncommon for companies subject to compliance with Payment Card Industry Data Security Standard (PCI DSS) to outsource certain operational responsibilities to third-party vendors. There are many reasons for doing so, ranging from risk transference, lack of domain expertise, non-core operational activities or simply cost reduction.
There is always a clear need to ensure that the relationship is defined through a formal legal agreement, which clearly spells out roles and responsibilities. The company doing the outsourcing should maintain an operational programme for managing and monitoring the compliance of the vendor to which it has outsourced certain business or technical functions.
This is not as simple as it looks and there are many problems that can arise. In this article we want to highlight some of the challenges and benefits that can be derived from implementing a successful third-party due diligence programme.
Due diligence procedures
Developing comprehensive due diligence procedures to be carried out, prior to a formal engagement, can be a daunting task without some formal guidance. The following important topics should be considered:
- Compliance with industry or government regulatory standards
- Financial stability
- Breaches, litigations, sanctions
- Information security programme
- Data and asset protection
- Physical security
- Business continuity – incident response
- HR – pre-employment checks, JML, training and awareness
- Compliance – KYC, AML, anti-bribery, regulated entity
The process must also be documented and consistently implemented to ensure that it can be audited and accounted for within the company’s own compliance validation.
Some service providers may have a direct relationship with the payment brands or their member banks and therefore inherit an obligation to demonstrate compliance with relevant controls to the services they provide. The same principle applies for service providers that are engaged by merchants or other entities.
Depending on the type of service, and in some instances the annual transaction volume, service providers are given the following two choices:
Annual assessment: Service providers can undergo an annual PCI DSS assessment(s) and provide evidence to their customers to demonstrate their compliance
Facilitate on-demand assessment(s): Service providers must facilitate and participate upon request in their customer’s PCI DSS reviews
Defining and documenting responsibilities
Being specific about who does what and when is essential. This can avoid complicated and costly situations when disputes or problems with the service do arise. The high-level detail will be contained within the contractual agreement while detail pertaining to individual controls will be specified within a Third Party Shared Responsibilities Attestation Matrix.
The typical clauses that should be covered in the contractual agreement include but are not limited to: Industry Definitions, Scope of Service, Compliance Obligations, Compliance Validation, SLA, Breach Notification, Termination, Insurance, Reporting Changes, Right to Audit, etc. While the contractual agreement clauses are not necessarily a new requirement, PCI DSS v3.0 introduced the need for a more detailed specification of responsibilities.
Identifying, agreeing and documenting shared responsibilities may require considerable time, effort and commitment on both parties, which can be far more complex than situations where the responsibilities for a specific control lies with only one party.
From the following excerpt in the April 2015 SSC Newsletter it becomes apparent that organisations struggle to differentiate between compliance and validation: “The analysis of PCI DSS compliance trends as well as the recent data breaches involving cardholder data has revealed that many organisations continue to view PCI DSS compliance as a periodic exercise only, and fail to ensure PCI DSS controls are continuously enforced. In response to these trends, the PCI SSC is planning to issue additional validation procedures that are designed to help organisations illustrate how they are maintaining PCI DSS security controls on an ongoing basis.”
There are different options for monitoring and tracking the compliance of service providers. It may be no longer acceptable to just request an AoC and/or confirm presence on payment brand’s lists of compliant service providers on an annual basis. The checks that may be conducted could be scheduled or ad-hoc. In the simplest form, the check could be just a checklist. At the other end of the spectrum, the checks could involve a mini assessment of all key controls. In any case, it is very useful to request evidence, quarterly or bi-annually, of those key controls that have some form of cyclical execution, such as vulnerability scans, penetration tests and wireless scans. All of these should be checked after any significant system changes in addition to code reviews, application assessments and risk assessments. The checks should also include identification of any legal or ownership changes, migration and/or expansion into new locations or data centres, new sub-contractors, etc.
Leveraging service providers
Every cloud has a silver lining and there can be something positive to be derived from what appears to be only an additional burden. While engaging and subsequently monitoring the compliance of service providers does require additional effort, there may be an opportunity to reduce risk and the scope of compliance. There exists the possibility to reduce costs if the combined cost of outsourcing and monitoring is lower than doing it all in-house. This can be accomplished by migrating non-core activities, sensitive data or internally managed processing to a compliant service provider. Usually, such a decision requires business process re-engineering and while this may require an upfront investment, it could also present the opportunity for long-term cost savings.
In my experience I’ve come across several situations where the engagement of a third-party service provider has resulted in cost savings and/or process optimisations for merchants.
In one case a merchant was looking to securely store call recordings that contained sensitive card payment authentication data due to government regulatory mandates. Their old and non-compliant call recording storage provider was charging many times the cost of the solution provided by Aeriandi. In the original situation with the ‘non-compliant’ call recording storage, the merchant was seeking acquirer approval for the extraordinary case of retaining SAD data post authorisation within call recording for regulatory compliance.
In another case, a merchant with a large call centre migrated to a compliant service provider, who was offering DTMF suppression functionality to de-scope the merchant’s agents and call centre workstations. Previously, the merchant had only been aiming to reduce the scope of their office network to just the call agent’s workstations.
Similar cost savings may potentially be achieved in face to face transaction channels. As the P2PE number of service providers grows and competition drives prices down, more and more merchants realise the benefit of having to only worry about the physical security of their POS terminals and the compliance of their P2PE service providers as opposed to all of the above including their IT infrastructure.
Previously, diligent merchants would attempt to satisfy the 12.8 requirement by asking their provider to include in their contract/written agreement an acknowledgement that the service provider is responsible for the security of cardholder data. However, there was no incentive or obligation for the service provider to sign such an agreement.
Technically in such a case, the merchant would not then be able to satisfy the 12.8 requirement. With PCI DSS v3.0, service providers are mandated to include such verbiage in their service agreements.
Matthew Bryars, CEO and Co-Founder at Aeriandi
Following a Masters degree in physics from University College London, Matthew co-founded Aeriandi in 2002 having seen the potential for highly secure, cloud-based business services at an early stage. Matthew quickly applied his problem solving skills to the business world and has been responsible for building the company from a start-up to a well renowned business – running services for some of the world’s largest banks and contact centres. Although the business has grown substantially, Matthew still takes a hands-on approach and remains actively involved in the development process,getting most fulfilment from delivery of high quality, relevant solutions based on the company’s hosted multi-channel platform.