Hot water and PCI compliance

There are a lot of online registers for reputable tradesmen. Many of these provide contact details for reliable plumbers in any given area, together with ratings and personal recommendations. In theory, you need look no further: your job will be completed to your entire satisfaction. On time. And in budget.

Yet, in reality most of us know that there is a still a measure of personal responsibility required to check out whether the credentials are genuine and the glowing testimonials are accurate. Because if one small element of a plumbing job is overlooked, it is our shower that runs cold, not the tradesman’s. In the end, you can outsource any job but, if even a small part of it goes wrong, you are the one that ends up in hot (or cold) water.

So, when Visa makes claims for its Global Registry of Service Providers, it is worth applying the same critical faculties. That is not to cast any aspersions on the integrity of the list because it is an extremely valuable tool. But the sole responsibility for an organisation’s payment card security lies with that organisation; not with a third party which operates behind the scenes.

PCI Requirement 12.8 states that businesses must ‘maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data.’

They are also obliged to keep a list of all the service providers that fall under this banner and to have a program to monitor these third parties’ compliance programs too. And checking the Visa list is one way of doing that. But your organisation’s security measures must go much deeper – and more personal – than this. It is advisable to have a nominated person within the business to manage PCI compliance and also to maintain the policy for engagement with third parties, like due diligence checks for example.

Having a checklist of what is required is also very important. If you are going to outsource some of the security functions to a third party, you will need to check that no elements of your security management framework have fallen down the cracks. For instance, if you outsource physical destruction of paper media that contains some sensitive info (like card numbers and order data), the third party must be able to demonstrate that, even if they are registered with the Visa (or any other) list for some of their operations, they have been assessed for the elements of the PCI standard that deal specifically with physical security and data destruction.

This method, often referred to as the Third Party Compliance Matrix is a neat way of mapping out all of the requirements and ensuring that total coverage is achieved across your own business and via the various third parties that you use.

Ultimately, you can outsource virtually every aspect of your payment card management apart from the actual responsibility to securely manage your environment. Risk transfer Is all about making sure you understand the contractual relationship and the obligations of your third party suppliers. This responsibility lies with you and only you. If something goes wrong, it is you that will end up in hot water, rather than the fairly anonymous third party behind the scenes. Which brings us back to the dodgy plumbing and the cold shower.

Posted 9 months ago on · Permalink