Any company that stores, transmits, and/or processes credit card data needs to be compliant with the Payment Card Industry Data Security Standards (PCI DSS). This is oftentimes a cumbersome task, involving time, money, and other resources that can put strain on a business. In order to simplify the road to compliance, many companies choose to outsource their applications to a PCI hosting provider.
This can have its own set of challenges, however. The responsibility for PCI compliance is ultimately on the merchant, making the decision of who to work with an important and difficult choice. Hopefully these tips can help make that process a little easier.
Get the audit reports
When shopping around for a PCI compliant hosting provider, doing the due diligence to make sure they’ve followed all the necessary guidelines will save time and money when your auditor comes to call. Any potential providers should have a PCI DSS Report on Compliance (ROC) from their independent audit available to share with you. Not only will it provide you with explicit processes they use to keep them compliant, but the ROC can then be given to the QSA (Quality Security Assessor) to make your own audit simpler and quicker.
Keep your service providers organized
Organization is going to go a long way, no matter what subject we’re talking about. However, in regards to PCI hosting providers, having a concise list of providers that you work with, complete with contract information, is imperative. This list is going to make it easier for you to track the provider’s audit records, to ensure that they can prove to you ongoing compliance. Be sure to update that report any time a provider is added, removed, or if the contract has changed.
Get accountability in writing
PCI hosting providers should have a process in the event of a data breach. This plan should include a time frame for merchant notification. It should also include both the process of storing, and of destroying data once the contract has expired. Understanding how your data is being disposed of can keep you and your service provider from ending up with a fate similar to Walgreens, who was found in California last year with a mixture of hazardous waste and PHI in their dumpsters, and had to pay over $16 million in fines.
Monitor your provider’s compliance
As we’ve said countless times before: compliance isn’t just a check in the box, but a constant process to provide ongoing security to customers. While it would be easy to simply see that a hosting provider has been independently audited, it is crucial to continue checking back in. This way you have transparency into details of the provider’s workings that are important to your business – things like their dates of compliance and audit reports, for example. Simply put, having a good relationship with your hosting provider can help your business run more smoothly, and could keep you from the nasty costs and customer dissatisfaction that comes with a data breach.
To a business owner, the safety of customer data should be paramount to all other concerns. PCI compliant hosting providers can work together with merchants to keep that data protected without the extensive costs and resources associated with in-house hosting. But not all service providers are the same. So take the time to truly qualify your service provider. Not only can it save you time and money in the long run, it might save you some sleepless nights too.