Our thinking

PCI DSS – Do My Suppliers Have My Back?

The purpose of this article is to give you a brief overview of the PCI DSS requirements relating to suppliers.

The Payment Card Industry Data Security Standard (PCI DSS) applies to all organisations that accept card payments (including yours!). The purpose of PCI DSS is to protect cardholders’ financial information by setting a minimum security standard that all merchants must meet or exceed. The standard is set by experts, and is designed to minimise the risk of data theft in most scenarios.

Unfortunately, the PCI DSS standard does not begin and end at the boundaries of your organisation. If you outsource any part of your payment process, both you and the supplier are responsible for ensuring compliance with PCI DSS.

What is PCI DSS?
The major card companies (Visa, Mastercard, AMEX, Discover and JCB) have always had security policies which they expected their merchants to adhere to. In 2004, the five companies decided to combine their standards to form a single, international standard administered by the Security Standards Council (SSC) which would apply to all organisations that accepted card payments.[1]

To comply with PCI DSS, organisations which accept card payments must complete a Self-Assessment Questionnaire (SAQ) every year and submit the results to their card payment services provider.

PCI DSS and service providers
If you outsource any part of the card payment process, Requirement 12 (included in all the PCI DSS SAQs) sets out how you must manage the relationship with the service providers.

The first section of the SAQs asks you to identify any third-party service providers who handle cardholder data. This may involve processing payments on your behalf or receiving card information for the purposes of running a loyalty program – in short, any activity which involves a third party having access to your customer’s full card details (complete card number and CVV).

You must complete Requirement 12 for every third-party service provider who has access to your customer card data. If a sub-requirement cannot be met for one service provider, you will be non-compliant with that sub-requirement.

Note that suppliers who have access to customer information but who do not have access to a complete card number and CVV are not covered by PCI DSS. For example, you may send packing notes to a third-party warehouse and shipping service which show the last four digits of a card number to confirm payment. In this instance, the third party is not handling or processing card information, so they will not be within the scope of your annual self-assessment.

Requirement 12 makes organisations responsible for maintaining and implementing policies and processes to manage service providers who receive card data or who could affect the security of card data. Requirement 12 has five sub-requirements:

12.8.1 – Is a list of service providers maintained, including a description of the service(s) provided?
12.8.2 – Is a written agreement maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment?
12.8.3 – Is there an established process for engaging service providers, including proper due diligence prior to engagement?
12.8.4 – Is a program maintained to monitor service providers’ PCI DSS compliance status at least annually?
12.8.5 – Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity?

Vendor management
As you can see, most of these requirements will be easily met if your organisation has a good vendor management program in place. A list of suppliers (12.8.1) and a supplier engagement process (12.8.3), for example, are simple good practice.

Your vendor management program may not specifically include a requirement to monitor PCI DSS compliance (12.8.4), but would usually include a process for conducting an annual quality and compliance review. For example, many companies ask vendors to provide evidence that they maintain adequate insurance cover by sending copies of their policy documents to the Vendor Manager each year. PCI DSS monitoring can be included in this process by asking vendors to provide a PCI DSS Attestation of Compliance with their other annual review documents. It may also be possible to access an Attestation of Compliance from the vendor’s website – many larger organisations make this document available publicly.

Similarly, your vendor database will generally include information about the services each vendor provides – it is a relatively simple process to add the card payment activities which the vendor is responsible for to this list, together with the relevant PCI DSS requirements (12.8.5). The PCI DSS requirements which are managed by your organisation can be documented in your SAQ each year.

The written agreement (12.8.2.) is more complex. Many service providers have standard contracts which include a disclaimer which specifically states that the data owner is responsible for security. This directly contradicts sub-requirement 12.8.2, which states that the service provider must acknowledge, in writing, that they are responsible for keeping the data secure.

If this occurs, one solution is to say that your organisation complies with 12.8.2 with controls. This indicates that your organisation is prevented from complying with 12.8.2 in full, but has taken steps to mitigate the risks of non-compliance. This will require you to complete the Compensating Controls Worksheet for each vendor who has not provided a compliant contract. In each instance, you will need to complete a thorough risk assessment and provide documentation which clearly shows that you have no alternative except to accept and mitigate the risk of continuing to deal with that supplier.

For example, if your payment services provider will not provide a compliant contract, you should ideally have documentation which shows that they have refused to provide an appropriate contract. You should also have evidence that you have spoken to other payment services providers who have refused to provide compliant contracts. The expectation is that organisations will take all reasonable steps to comply with the standard, so a Compensating Controls Worksheet should only be considered as a last resort!

Often, PCI DSS compliance can be achieved simply by following good business practises.

For more information about PCI DSS requirements, visit https://www.pcisecuritystandards.org/document_library?category=saqs#results to download the most recent SAQs.

[1] https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard