Service providers are a key component to ensuring compliance.
Outsourcing to a PCI-compliant service provider is one of the best ways business owners can help reduce their PCI obligations and risk of a data breach. As a business owner, it is your responsibility to make sure you are partnering with the right service providers.
How should you approach this third-party relationship, and what questions should you ask potential service providers in order to ensure they are reputable and will dutifully safeguard your customers’ cardholder data?
Evaluating a Third-Party Relationship — Frequently Asked Questions
Who qualifies as a service provider?
First it is critical that you know which service providers store, process or transmit cardholder data (CHD) on your behalf or have the potential of impacting the security of your customers’ card data. Surprisingly many small business owners are not aware of all the players involved and, as a result, have no idea if these providers are taking the right steps to protect their customers’ data and ultimately their business.
A service provider is any business entity that is directly involved in the processing, storage, or transmission of cardholder data. Some examples of common service providers include:
- Independent Sales Organizations (ISOs)
- Transaction processors
- Payment gateways
- Hosting companies
- Managed security services provider (MSSP)
- Third party marketing firms
- Vendors that perform POS maintenance
How do I choose a service provider?
Business owners should have a set process for choosing a service provider (for example, verify PCI compliance status, research the company’s track record for any breach events, review documented customer complaints, etc.). You can check on the compliance state of a service provider by accessing the Visa and MasterCard registry lists, or by contacting the service provider directly.
If the service provider is not on a registry list and has opted to “self-assess” their compliance, it is important to ask for proof of PCI compliance from provider. If the service provider cannot provide formal documentation proving their compliance, it is recommended that you select a provider that has completed a Level 1, on-site assessment conducted by a Qualified Security Assessor (QSA).
What questions should I ask potential service providers to validate their PCI-compliance status and procedures?
- What is included in their incidence response plans?
- Have they experienced any data breaches?
- How many years have they been in service?
- Are there available client recommendations?
- Do they run background checks on employees? (This is required for PCI Compliance.)
- Are there any complaints found through the Better Business Bureau?
Once I identify my service providers, how should I proceed?
Next, you should maintain a list of your service providers and check PCI status at least quarterly; and most importantly, ensure that there are written agreements in place acknowledging data security responsibility even down to which PCI requirements they are handling. You should also assure that the liabilities and responsibilities of the service provider are clearly stated and agreed in writing in case of a breach.
What if I am an e-commerce merchant?
Ecommerce merchants that do not have in-house expertise or resources should consider fully outsourcing their payment-card processing operations to a PCI compliant service provider.
By using a fully outsourced service provider, you are not storing, processing or transmitting cardholder data in electronic format on your systems. This option also greatly reduces your PCI DSS validation requirements.