By Paul Brennecker, Senior Information Security Consultant & Principal QSA
The Payment Card Industry Data Security Standard (PCI DSS) lists a number of myths relating to PCI compliance. One of these is that outsourcing card processing makes a business compliant. Indeed it does not. No matter which third party is used, outsourcing card data processing does not abnegate the ultimate responsibility. That remains with the merchant. It is still, however, a method used by the majority of retailers to achieve PCI compliance. So, what are the issues with outsourcing and what should you be aware of?
A few years ago the question was posed: ‘Why do you need to keep the card data?’ and an awful lot of retailers stopped and thought ‘we don’t need it at all’. Some had previously used the card number as a unique identifier for customer loyalty tracking but with the advent of more sophisticated schemes for doing this, there is now no reason for the card number to be retained in most cases.
Outsourcing card data payments has become a popular option and it is easy to see why. When a merchant uses a validated third party to capture the payment information from their own website, the actual process of data capture bypasses their systems. In this way, they need not hold client data in-house and thus alleviate some of the obligations associated with PCI compliance. If they are able to demonstrate clearly that no data resides in the Merchant Environment, this means that in most circumstances a PCI SSC Self Assessment Questionnaire A will suffice. This reduces the scope of the PCI compliance program to just 22 controls. A significant number of these controls are related to selecting and managing third parties, but nonetheless the burden of compliance is much lighter on the merchant.
The one thing that can never be outsourced, however, is the responsibility to manage the environment responsibly. Merchants have a contract with an acquiring bank and it is the job of the acquirer to administer penalty fees for non-compliance and for data breaches. If the merchant uses a third party that suffers a data breach, the acquirer will still usually pass the fine to the merchant. They in turn will look at whether the third party was responsible for the data breach and pass the fine on to them. It is for this reason that the contractual arrangements with the third parties must be water tight. There must be a clear assignment of responsibility for the security of data that is shared with the third party and the ability to pass on any penalty fees that are applied as a result of loss of data.
A few further words of caution. Outsourcing simplifies payment card processing but does not provide automatic compliance. Nor is PCI compliance on its own sufficient to protect the Merchant Environment. Like a car MOT, it is only a reflection of the state at a given point in time. Threats to data security continue to rise in both number and level of sophistication. Only a continuous process of assessment and remediation will provide a robust defence against the theft of cardholder data. For more information on all issues relating to compliance and SRM’s portfolio of services click here.