Last month the Payment Card Industry Security Standards Council (PCI SSC) released their Information Supplement: PCI DSS E-Commerce Guidelines. These guidelines were focused on e-commerce merchants, and how to keep compliant whether outsourcing payment processing, keeping it in-house, or creating a hybrid solution.
Within the supplement there were great guidelines for interaction between merchants and third party service providers. This included how best to address risks associated with outsourcing throughout the whole process, from deciding what provider to use, to engaging with them, and finally through the continual management. Here are a few of the tips highlighted within the guidelines.
Potential Service Providers
Much of the detail under this section was about getting educated before choosing the provider to work with. Receiving quotes from many providers not only allows a merchant to find the most cost-effective company, but you can also get more comfortable with what most services are offering, as well as some of the add-ons that may not be mandatory, but are appealing for security or convenience. Also, researching each provider is important. Getting ratings, reviews, thought leadership, and information about the types of clients they support can all help form a solid basis for determining which service provider is going to be the best fit.
Contracting a Service Provider
Once a service provider has been decided on and the contract is being made, it’s important to have within the agreement a specific explanation of the responsibilities of the service provider and the merchant in regards to PCI compliance. This clearly draws the line for both entities so there is no confusion as to who is taking care of what. It’s important to reiterate that the merchant is ultimately responsible for the security of all cardholder data, including the data handled by the service provider, but knowing what aspects are being handled by the provider (as well as what they do in order to meet those specific standards) allows a company to reallocate its resources without fear of missing a critical requirement.
Service Provider Management
This section focused on the continual duties the merchant will want to perform in order to keep abreast of their service providers strides to keep compliant. This involves reviewing the third party’s signed Attestation Of Compliance (AOC) to ensure that their compliance is current. Just like merchants, service providers will need to renew their validation every year in order to stay current. Also, the PCI SSC suggests acquiring specific information in regards to breach processes and hardware configurations:
‘If outsourcing web-hosting services, ask the provider for standard hardware and software configurations, a defined schedule for updating hardware and software patches and versions, a 7x24x365 active monitoring service, and support for investigations in the event of a security breach.’
PCI Compliant Requirements & PCI Compliant Services Matrix
The PCI DSS (Payment Card Industry Data Security Standards) require the use of certain technical security services. Below is a matrix of the requirements paired with actual PCI compliant services that fulfill them. Click on each PCI compliant service to read more about them.
Understanding Big PCI Compliance Pitfalls
PCI DSS (Payment Card Industry Data Security Standards) compliance is important to any company processing, storing, or transmitting cardholder data. However, its 12 security requirements are complex (each requirement is broken down into many different sub-categories so that at the end of the day there’s over 200 points to consider) and technical, causing many companies to stumble when working towards compliance.
Looking for more information on PCI hosting requirements, recommendations, and the foundation of a secure PCI compliant data center?
Download our PCI Compliant Hosting white paper now for a complete guide to PCI hosting with IT vendors.