What to consider when dealing with third parties (Service Providers)
To begin with, we must define what a third party (Service Provider) is for PCI SSC. A third party (Service Provider) is considered to be any business entity that is not a payment brand, directly involved in the processing, storage or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could affect the security of cardholder data1.
From the point of view of information liability it is important to keep in mind that in case of a leakage of information from a service provider with whom card data is shared, the consequences of financial losses, damage to reputation, are borne by the entity contracting the service. Understanding the meaning of the term third party or service provider and the responsibility for the data, let’s get down to business.
In order to minimize the risk with third parties and to reach the goal of achieving compliance with the PCI-DSS standard, and of course to maintain it, a series of steps must be taken into consideration that will help compliance validation to develop more smoothly and the relationship with third parties to be truly collaborative.
The first thing to do with third parties is to define what kind of service we are going to require and the possible impact it may have on the security of cardholder data in the CDE environment. This will allow us to make an appropriate selection of the companies that can provide the service we need.
The second step is to define if the service provider to be hired will store, process or transmit cardholder data or impact the security of the card data environment (CDE), if so, we must ask if the third party to be selected is in compliance with the PCI-DSS standard or not.
After having defined the previous steps, you should ask the third party for documentation or evidence of validation of PCI-DSS compliance. If it is in compliance, it is enough to request the AOC2 document, it must be validated if the scope presented in the AOC includes the service that the supplier is going to provide to the company. If the supplier is not in compliance, the documents with the evidence supporting the requirements of the applicable standard must be requested.
At the time of contracting, the communication channel with the third party, the responsibility for the data and the documentation that will be requested to validate compliance with the PCI-DSS standard must be clearly stated in writing, and a matrix of responsibilities must be created together with the third party, as this will allow to clearly identify which controls correspond to the third party, which to the company and which will be shared. In addition, the service agreement should include the activities to be carried out in the event that the third party service provider fails to comply with the controls that correspond to PCI-DSS.
This will allow us to have an ally that will help us to avoid problems with the service providers at the time of the assessment.
Some examples of third parties or service providers are:
- CTI Outsourcing
- SAAS provider
- Processing Outsourcing
- Document Management Companies
- Hosting
- Development
- Infrastructure and cloud management
- Media management (If they have access to data or manage data access mechanisms)
To conclude; the appropriate management of service providers, allows to minimize the risks on the shared information and/or the impact on the security of card data. In addition, it should be emphasized that the entity transfers a process to a third party but not the responsibility for the card data. Finally, if the responsibilities regarding the requirements of the standard are defined from the beginning and formalized with a contract, the company that wants to obtain the validation of PCI-DSS compliance can carry out the process in a smoother way without stumbling blocks in the validation of the requirements of the standard.
- PCI_DSS_V3_Glossary_ES-LA
- Attestation of Compliance
Autor: Diego Fdo. Sánchez T.
Consultor Junior II, IQ-Information Quality.
