November 15, 2016 • Published by Chris Bucolo
Internet of Things • Network Security • PCI Compliance
What do CVSphoto.com, Jimmy John’s and the Detroit Zoo have in common? All three businesses were in the headlines as payment card data breach victims. And, all three breaches were the result of hacked service providers that, once compromised, provided the cyber thieves with easy access to these companies’ customer information, including payment card data.
Third party relationships make your life easier in a multitude of ways, from streamlining processes, to providing additional human resources, to ensuring operational efficiency. Unfortunately, these relationships also introduce increased business risk related to data security and compliance. If one or more of your third party vendors doesn’t maintain a strong security posture and is consequently compromised, your business could very well end up sharing the burden of recovery.
Here are three steps you can take to lessen your business's third party risk:
Step 1: Educate yourself on what types of businesses constitute a “service provider” under the Payment Card Industry Data Security Standard (PCI DSS). If you know who they are, you can start asking the right questions.
According to PCI Security Standards Council, there are four main categories of service providers:
Step 2: Identify any of your vendors that fall into one or more of the above categories, then ask each if they know they are a service provider in relation to PCI. If they don’t know or don’t even know what it means, this is a bad sign. In fact, PCI DSS Requirement 12.9 requires service providers to acknowledge in writing to customers their responsibilities for securing the customers’ cardholder data or the customers’ cardholder data environment. If they are not prepared to provide that information in writing, look elsewhere for the services that vendor provides, or require that they get an Attestation of Compliance (AoC).
Step 3: Find out if the service provider has had a Level 1 PCI assessment and has an AoC dated within the last 12 months. If they say yes, check to see if their business is listed on the Visa Global Registry of Service Providers. Then, each year as you validate your own business’s PCI compliance, make it a standard operating procedure to ask your service providers to provide their current AoC.
As your business connects with partners and vendors to gain more agility and scalability, it’s increasingly important to proactively identify any PCI-related service providers and then ask them the right questions to ensure they take data security seriously.